Fortinet breaks HTTPS

… but they are not the only one.

This morning, I was working at a client premises, and when I logged into my Google Apps mail account, Firefox greated me with the you-are-connecting-to-an-untrusted-https-web-site banner.

After checking the certificate, I noticed it was in fact issued by Fortigate/Fortinet.

That's what we call a Man-In-The-Middle (MITM) attack: you seat in the middle and pretend to be the person someone is trying to reach, and can therefore eavesdrop on their data/credentials/etc. in clear form.

Well, at least they where using a self-signed certificate, that was not recognized by a root CA. But what if they add such a certificate ? I remember seeing an article about such equipments, that have valid certificate, and can therefore silently snoop on any HTTPS communication, without ever noticing it.

Does this renders HTTPS completely useless ? Who will really disable the renegade root CA in their browser, and manually check and setup trusted certificates one-by-one for the websites they visit ?

Finally, this issue is perhaps one of the oldest in human behaviour: trust.

Ce contenu a été publié dans regular. Vous pouvez le mettre en favoris avec ce permalien.