HTTPS redirects to HTTP for monitoring

John Levine johnl at
Mon Jan 19 21:56:04 UTC 2015

>We use Fortinet firewalls and SSL (HTTPS, FTPS, IMAPS, POP3S, SMTPS, 
>SSH) inspection is a standard feature.  It works by rolling out a custom 
>CA certificate from the device to all of the desktops and whenever you 
>hit a SSL site, a cert signed with the CA is generated and presented to 
>the user. If you look at the cert your browser has, you can tell the CA 
>is different but most users aren't looking at that.

By the way, I hope that all of the people who have been ranting about
this have read this note.  The only way this filtering works is if the
client computers have a special CA cert installed into their browsers.
That means it's a private organizational network that manages all its
client computers, or it's a service where the users specifically do
something on their own computers to enable it.

It may not be a very good idea, but it's definitely not evil people
secretly spying on traffic of innocent victims.


More information about the NANOG mailing list