[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fortigate Bypass

To: lwang@xxxxxxxxx
Subject: Re: Fortigate Bypass
From: "Eddie Bell" <ejlbell@xxxxxxxxx>
Date: Thu, 20 Jul 2006 11:05:34 +0200
Cc: vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: mailing list vuln-dev@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for vuln-dev@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JgCI+sOcKxNe86i3rV9o+6WdSifc+Z6xluwVibum2AoJS4ziS5bWS8u+0ppoqOWQI3gzWZju+IMxIIHZ2MPSXw/JA7fZBYUdIk8/sr6xwkxSr6B3uhMJcSI20Hi7vXLydF7zVoY2cpaRPFtdXBEjxTlw1/uU4KrRhIolHw7epAU=
In-reply-to: <21ae1b060607191815g151f8cc8ue4bb9357a0ca7f47@xxxxxxxxxxxxxx>
List-help: <mailto:vuln-dev-help@securityfocus.com>
List-id: <vuln-dev.list-id.securityfocus.com>
List-post: <mailto:vuln-dev@securityfocus.com>
List-subscribe: <mailto:vuln-dev-subscribe@securityfocus.com>
List-unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com>
Mailing-list: contact vuln-dev-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060719061412.22256.qmail@xxxxxxxxxxxxxxxxx> <21ae1b060607191815g151f8cc8ue4bb9357a0ca7f47@xxxxxxxxxxxxxx>

On 20/07/06, Louis Wang <bill.louis@xxxxxxxxx> wrote:

hi there
https is born to make connection keep secret between two peers.
Only the two end of a connection can see the clear text, gateways and
router can not see clear text. so technically, Fortigate or other
gateways can not deal with https content text.


Technically it is not hard to do, the gateway just needs to accept
https connection and reply with its own certificate, which has been
added to all the browser behind the gateway. Then forward the https
request to the correct site. Its a legitimate man-in-the-middle
attack.

 And more, if FortiGate

can know your https connect content, FortiGate administartor can see
your credit card account and password when you logon bank website
throught FortiGate by https, would you like to see this thing? :)


If you do not trust the adminstration then you should not be using
your credit card. Watching http sessions is not a big deal compared to
some of the things the admins have power to do. If they wanted to
comprimise your privacy they have many choices

- ejlb

References:
- Fortigate Bypass
  - From: digicrimes
- Re: Fortigate Bypass
  - From: Louis Wang

Prev by Date: Re: Fortigate Bypass
Next by Date: Problem in IE's File Type Recognition
Previous by thread: Re: Fortigate Bypass
Next by thread: Problem in IE's File Type Recognition
Index(es):
- Date
- Thread