Fortigate SSL Inspection?


#1

The Fortinet Fortigate product by default does a MITM attack to deep inspect all SSL and TLS traffic.

Is there a way to create a certificate for a Fortinet device that would allow this? Currently our implementations require installing the self-signed certificate on each computer.

Based on this post, we should probably wait until fortigate supports this.

Background on the fortigate feature:
http://yurisk.info/2013/05/04/disabling-ssl-deep-inspection-proxy-in-fortigate-should-be-easier/


#2

No, SSL inspection is not possible under the public CA model. You should be researching ways to more easily deploy the root certificate to all your devices, or switching the mode to only block by domain name.


#3

Maybe little bit incorrect. It is possible but if it become published it already meant the ruin for the CA that support it.

The question even show that there is no knowledge of how certificates work.

  1. If we allow Fortinet -> Some Gateway -> Any Person to gain certificate for any domain that he selects.
    Then the certificate does not imply any trust.
     
  2. The idea to do an deep inspection of SSL/TLS traffic also collide with the idea of ssl:
  • Secrecy
  • Unmodified data (possible with protocol changes)

#4

As far as I understand it and how it’s implied in Cisco ASA and/or IOS support the Fortinet Fortigate gateway can be used to intercept traffic to your own site/your own server behind the gateway.
In this case it’s of course possible to intercept the traffic as you own the private key of your webserver.


#5

Thank you for the replies.

I agree that it’s a big security hole. If you use it, you’ll want to create the certificate and then erase forever the private signing key.

This gives some insight as well:
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html