[cabfpub] China MITMing icloud.com

Rich Smith richard.smith at comodo.com
Tue Oct 21 19:23:35 UTC 2014


Two points from the bylaws, which IMO address this situation, should the
allegations prove accurate:


1) From section 1.1 Purpose of the Forum

"... guidelines and means of implementation for best practices as a way of
providing a heightened security..."

Knowingly allowing MITM is an action clearly in direct opposition to the
stated purpose of this Forum.  It absolutely does NOT provide for heightened


2) From section 2.1 Qualifying for Forum Membership:

(3) Browser: The member organization produces a software product intended
for use by the general public for browsing the Web securely.

Knowingly allowing any party to MITM a site is definitely not producing a
software product intended to allow the general public to browse the Web
securely.  IMO, if the allegation is true then 360 Browser does NOT meet the
definition of a Browser under the bylaws, therefore they would have been
admitted in error and do not qualify for membership.



Rich Smith



From: Dean Coclin [mailto:Dean_Coclin at symantec.com] 
Sent: Tuesday, October 21, 2014 2:55 PM
To: richard.smith at comodo.com; public at cabforum.org
Subject: RE: [cabfpub] China MITMing icloud.com


Rich brings up a good point, but we have to rely on our bylaws for the
operation of the forum, including member conduct.


I took a quick scan of the bylaws and unfortunately I didn't see anything
about member conduct or any action that could be taken related to the
allegation below (feel free to correct me if I missed it). There is
something minor about complying with industry regulations, but does the
alleged behavior violate any regulation?


So although it's fine to have a discussion about it, any action would need
to be in accordance with our bylaws. Hence this may be an opportunity to
propose changes therein.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Tuesday, October 21, 2014 10:41 AM
To: public at cabforum.org
Subject: [cabfpub] China MITMing icloud.com




The above article states that within China's great firewall, www.icloud.com
is connecting with a self signed certificate.  The article also states that
the Qihoo 360 Browser passes the user right through with no warning or other
indication that the connection is unsafe.


I have no way to independently verify that accusation, BUT given that we
just approved the 360 Browser's CA/B membership application, I think this
needs to be investigated.


If the accusation is found to be accurate, barring a VERY good explanation
from the 360 Browser team, I would move for their immediate expulsion from
this Forum.




Rich Smith

Validation Manager


http://www.comodo.com <http://www.comodo.com/> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141021/6b26bd4d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141021/6b26bd4d/attachment-0003.bin>

More information about the Public mailing list