Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ahmed_M
Staff
Staff

Created on ‎10-30-2023 10:05 PM

Article Id 281929

Technical Tip: Enhancing explicit Web proxy Security through SSL/TLS channel

Description

This article discusses the vulnerabilities in SSL/TLS protocols and the risks associated with outdated SSL versions still in use.

It also highlights Fortinet’s solution in FortiOS v7.4 for enhancing web security through a secure TLS channel for explicit web proxy traffic.
Scope FortiGate.
Solution

Background:

SSL/TLS, when implemented correctly, serves as a robust protocol for ensuring data security during its transmission from a client's browser to a web server.

However, this technology is not impervious to vulnerabilities, including weak ciphers and other potential threats.

Over the past three decades, multiple versions of SSL and TLS have been released to address these weaknesses, as they could potentially expose systems to exploitation by attackers seeking access to valuable data.

 

Despite the improvements in newer TLS versions, a significant challenge remains: many online applications and websites continue to support outdated SSL protocols even when equipped with a newer SSL certificate.

This situation has not escaped the notice of hackers, who can exploit these vulnerabilities and the older support to orchestrate a protocol downgrade attack.

In such an attack, the user's browser is coerced into reconnecting to the website using an outdated protocol.

While most modern browsers protect against SSLv2 connections, SSLv3, more than 20 years old, still lingers.

Additionally, SSL itself remains susceptible to various potential attacks, including vulnerabilities like BREACH and Heartbleed.

 

The current explicit web proxy feature available in FortiOS v7.2 and earlier facilitates web traffic proxying over HTTP or HTTPS channels.

However, it is worth noting that the internal web traffic between the client machine and the FortiGate proxy server occurs in the trusted zone side.

Yet, this arrangement does not completely shield against potential man-in-the-middle eavesdropping inside job.

Also in instances where weak HTTPS implementations are employed, user data could be left vulnerable to interception.  

For additional information on eavesdropping attacks, please refer to the following resource provided by FortiGuard Labs threat intelligence:

Eavesdropping Definition

 

Solution:

To bolster the security of explicit web proxy functionality, FortiOS v7.4 introduces a novel feature that enables the creation of secure TLS channels.

These channels serve to encapsulate explicit web proxy traffic, thereby enhancing security during the exchange of data between the end user's browser and the FortiGate proxy server.

 

For a comprehensive understanding of this feature and an illustrative example, refer to the following link:

Configuring a secure explicit proxy

 

In conclusion, as cyber threats continually evolve, it is imperative for organizations to stay ahead of the curve in safeguarding their data. FoS’s SSL/TLS proxy upgrade, as introduced in FoS version 7.4, represents a significant step toward ensuring the utmost security for web traffic and protection against potential vulnerabilities.

 

Related Articles:

What is the Meaning of HTTP?

HTTPS Definition
1131
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.