<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=gb2312"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@Arial Unicode MS";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"批注框文本 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin:0cm;
margin-bottom:.0001pt;
text-indent:21.0pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.Char
{mso-style-name:"批注框文本 Char";
mso-style-priority:99;
mso-style-link:批注框文本;
font-family:"Calibri","sans-serif";}
p.BalloonText, li.BalloonText, div.BalloonText
{mso-style-name:"Balloon Text";
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Arial Unicode MS","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-CN link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>Rich,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>I like Hanrui said </span><span lang=EN-US style='font-size:12.0pt;color:#1F497D'>“</span><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>that's why we applied to join the forum</span><span lang=EN-US style='font-size:12.0pt;color:#1F497D'>”</span><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>I like to introduce more China browsers and more CA join the CAB Forum to let them have the chance to learn more about the international standard, to learn more from other browsers and from other CAs, this will help to make good browsers and issue better certificate to improve the security of Internet in China. China Internet user is No. 1 in the world, China Internet more secure means the World Internet more secure. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>But we should give them time to learn and to improve, I suggest CAB Forum members never say </span><span lang=EN-US style='font-size:12.0pt;color:#1F497D'>“</span><span lang=EN-US>move for their immediate expulsion from this Forum</span><span lang=EN-US style='font-size:12.0pt;color:#1F497D'>”</span><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>, this don</span><span lang=EN-US style='font-size:12.0pt;color:#1F497D'>’</span><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>t solve the problem. And this don</span><span lang=EN-US style='font-size:12.0pt;color:#1F497D'>’</span><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>t have any help for Internet security.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>I remember Ben and Dean said before like this: CAB Forum welcome many related companies to join, this will enlarge CABF influence, and will help to improve Internet security. I think this is very good idea for world Internet security.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'>Thanks for all of your help, help others is helping ourselves since we are in one world, one Internet.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span lang=EN-US style='font-size:10.5pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span lang=EN-US style='font-size:10.5pt;color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span lang=EN-US style='font-size:10.5pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span lang=EN-US style='font-size:10.5pt;color:#1F497D'>Richard<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial Unicode MS","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Rich Smith<br><b>Sent:</b> Wednesday, October 22, 2014 9:17 PM<br><b>To:</b> '</span><span style='font-size:10.0pt;font-family:宋体'>高寒蕊</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>'; public@cabforum.org<br><b>Cc:</b> '</span><span style='font-size:10.0pt;font-family:宋体'>石晓虹</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>'<br><b>Subject:</b> Re: [cabfpub] China MITMing icloud.com<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Dear 360 Browser staff,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Thank you for this response. As noted by others, I think your product needs some further work to be considered truly secure against these kinds of attacks, however I am glad to know that the original article's allegations seem to be unfounded. I think I can safely speak for all Forum members in saying that we look forward to working with you to further enhance the SSL/TLS certificate usage and security within the Chinese market.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Rich Smith<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Validation Manager<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Comodo<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><span style='font-size:10.0pt;font-family:宋体'>高寒蕊</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [<a href="mailto:gaohanrui@360.cn">mailto:gaohanrui@360.cn</a>] <br><b>Sent:</b> Tuesday, October 21, 2014 11:20 PM<br><b>To:</b> <a href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Cc:</b> </span><span style='font-size:10.0pt;font-family:宋体'>王天平</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>; </span><span style='font-size:10.0pt;font-family:宋体'>贾正强</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>; </span><span style='font-size:10.0pt;font-family:宋体'>石晓虹</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> </span><span style='font-size:10.0pt;font-family:宋体'>答复</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>: [cabfpub] China MITMing icloud.com<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>This article is not the truth.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>360 browser can identify the fake certification and alert the users in both address-bar and the infobar (the yellow tip right on top of the page). Attached you can find the screenshot.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><img border=0 width=412 height=162 id="图片_x0020_1" src="cid:image001.jpg@01CFEE43.E3A89710"><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>We also made the announcement to our users in major it websites(<a href="http://www.cnetnews.com.cn/2014/1021/3036881.shtml">CNET</a>, <a href="http://soft.chinabyte.com/32/13115032.shtml">ChinaByte</a>, etc.) and <a href="http://weibo.com/1709486153/BsAXnxSbS?mod=weibotime&type=comment#_rnd1413946061334">Sina Weibo</a> (aka, the Chinese twitter). <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Any other questions?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>360 Browser<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:宋体'>发件人<span lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt;font-family:宋体'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] </span><b><span style='font-size:10.0pt;font-family:宋体'>代表 </span></b><span lang=EN-US style='font-size:10.0pt;font-family:宋体'>Rich Smith<br></span><b><span style='font-size:10.0pt;font-family:宋体'>发送时间<span lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt;font-family:宋体'> 2014</span><span style='font-size:10.0pt;font-family:宋体'>年<span lang=EN-US>10</span>月<span lang=EN-US>21</span>日<span lang=EN-US> 22:41<br></span><b>收件人<span lang=EN-US>:</span></b><span lang=EN-US> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br></span><b>主题<span lang=EN-US>:</span></b><span lang=EN-US> [cabfpub] China MITMing icloud.com</span></span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><a href="https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack-coincides-launch-new-iphone">https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-attack-coincides-launch-new-iphone</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>The above article states that within China's great firewall, <a href="http://www.icloud.com">www.icloud.com</a> is connecting with a self signed certificate. The article also states that the Qihoo 360 Browser passes the user right through with no warning or other indication that the connection is unsafe.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>I have no way to independently verify that accusation, BUT given that we just approved the 360 Browser's CA/B membership application, I think this needs to be investigated.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>If the accusation is found to be accurate, barring a VERY good explanation from the 360 Browser team, I would move for their immediate expulsion from this Forum.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>-- </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Regards,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Rich Smith</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Validation Manager</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Comodo</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><a href="http://www.comodo.com/">http://www.comodo.com</a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div></div></body></html>