<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"纯文本 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"批注框文本 Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:9.0pt;
font-family:"Calibri","sans-serif";}
span.Char
{mso-style-name:"纯文本 Char";
mso-style-priority:99;
mso-style-link:纯文本;
font-family:"Calibri","sans-serif";}
span.Char0
{mso-style-name:"批注框文本 Char";
mso-style-priority:99;
mso-style-link:批注框文本;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ZH-CN" link="blue" vlink="purple" style="text-justify-trim:punctuation">
<div class="WordSection1">
<p class="MsoPlainText"><span lang="EN-US">Dear all,<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Here's the udpate for 360 secure explorer's new design on warning a fake certificate.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Just like the screenshots, we use an obvious red warning to show the message to the user in the new versions.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><img width="309" height="232" id="图片_x0020_1" src="cid:image003.jpg@01CFF209.ED71CF40"></span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">You can verify it by downloading the official version 7.1.1.518 or the beta version 7.2.0.116 from our official
<a href="http://se.360.cn/">website</a>.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Thank you!<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Yours sincerely,<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">360 Browser<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">-----</span><span style="font-family:宋体">邮件原件</span><span lang="EN-US">-----<br>
</span><span style="font-family:宋体">发件人</span><span lang="EN-US">: Gervase Markham [mailto:gerv@mozilla.org]
<br>
</span><span style="font-family:宋体">发送时间</span><span lang="EN-US">: 2014</span><span style="font-family:宋体">年</span><span lang="EN-US">10</span><span style="font-family:宋体">月</span><span lang="EN-US">22</span><span style="font-family:宋体">日</span><span lang="EN-US">
17:43<br>
</span><span style="font-family:宋体">收件人</span><span lang="EN-US">: </span><span style="font-family:宋体">高寒蕊</span><span lang="EN-US">; richard.smith@comodo.com; public@cabforum.org<br>
</span><span style="font-family:宋体">抄送</span><span lang="EN-US">: </span><span style="font-family:宋体">石晓虹</span><span lang="EN-US"><br>
</span><span style="font-family:宋体">主题</span><span lang="EN-US">: Re: </span><span style="font-family:宋体">答复</span><span lang="EN-US">: [cabfpub]
</span><span style="font-family:宋体">答复</span><span lang="EN-US">: China MITMing icloud.com</span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">On 22/10/14 10:36, </span><span style="font-family:宋体">高寒蕊</span><span lang="EN-US"> wrote:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> Sorry, I forgot to mention that a lot of websites are using expired
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> certificates or self-signed certificates in China. So it will bring a
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> very bad user-experience to show a tough warning page for each visit
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> to all these websites. Given that, 360 browser uses the infobar
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> warning on the page instead of a whole warning page.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">I suspected that this was the reason.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> We're now trying to amend the solution to meet with international
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> practice. And that's why we applied to join the forum. We'll have a
<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">> launch which brings the new design for the warning page this week.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">I look forward to seeing that with interest. But remember, just making the warnings more scary is simply like shouting "YOUR HOUSE HAS JUST BEEN BURGLED" instead of saying it. You have to either not load the page,
or at the very minimum, not send any authentication information.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Also, if you load the page, users may be tempted to click through or ignore the warning because "the page looks right". Users should not be required to understand the threat model of MITM. Not showing them the page
avoids this understandable tendency.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">So I would urge Qihoo 360 to a) update their browser not to load the page when there is a certificate error; and b) work with CAs and sites within China to improve the use of SSL certificates.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Gerv<o:p></o:p></span></p>
</div>
</body>
</html>