Vulnerability Development mailing list archives
Re: Fortigate Bypass
From: "Eddie Bell" <ejlbell () gmail com>
Date: Thu, 20 Jul 2006 11:05:34 +0200
On 20/07/06, Louis Wang <bill.louis () gmail com> wrote:
hi there https is born to make connection keep secret between two peers. Only the two end of a connection can see the clear text, gateways and router can not see clear text. so technically, Fortigate or other gateways can not deal with https content text.
Technically it is not hard to do, the gateway just needs to accept https connection and reply with its own certificate, which has been added to all the browser behind the gateway. Then forward the https request to the correct site. Its a legitimate man-in-the-middle attack. And more, if FortiGate
can know your https connect content, FortiGate administartor can see your credit card account and password when you logon bank website throught FortiGate by https, would you like to see this thing? :)
If you do not trust the adminstration then you should not be using your credit card. Watching http sessions is not a big deal compared to some of the things the admins have power to do. If they wanted to comprimise your privacy they have many choices - ejlb
Current thread:
- Fortigate Bypass digicrimes (Jul 19)
- Re: Fortigate Bypass Louis Wang (Jul 19)
- Re: Fortigate Bypass Mario Platt (Jul 20)
- Re: Fortigate Bypass Eddie Bell (Jul 20)
- Re: Fortigate Bypass Louis Wang (Jul 19)