Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk. Each VPN appliance and the set up process provides multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples. Fortinet VPN appliances are designed to work out-of-the-box for customers so that organizations are enabled to set up their appliance customized to their own unique deployment. i) Double clicking on the FortiClient icon (in the task bar) will bring up the FortiClient window and you will be prompted to acknowledge that this software is the free version. "The security of our customers is our first priority. Step 3: Setting up the installed client software Your laptop will need an active connection to the Internet to establish a VPN connection to the QMUL network. The company offered further details on the matter in a statement to The Hacker News (opens in new tab), which reads: It is recommended to purchase a certificate for your domain and upload it for use."Īt the moment, Fortinet has no plans to address this issue as users can manually replace the default certificate on their own to protect their networks from MitM attacks. In Fortinet's defense, the company's client displays the following warning when a customer uses the default certificate: "You are using a default built-in certificate, which will not be able to verify your server's domain name (your users will see a warning). The researchers even designed a MitM proof of concept (PoC) to show how an attacker can easily re-route the traffic to their server, display their own certificate, and then decrypt an organization's VPN traffic.
While the company could use the router's serial number to check if the server names match, the client appears to not verify the server name at all according to SAM Seamless Network's research. All of the company's default SSL certificates use a router's serial number as the server name for the certificate.