[cabfpub] 360 Browser & Cert Validation

Tom Ritter tom at ritter.vg
Thu Apr 2 18:59:09 UTC 2015

Hi Hanrui,

I wanted to follow up on the discussion back in October
(https://cabforum.org/pipermail/public/2014-October/004256.html ) on
360 SE/EE and certificate validation.  I downloaded 360SE and tested
it on a random site with an invalid certificate (a non-matching name
but it was a valid CA-signed cert).  The browser loaded the page
automatically and displayed the yellow infobar at the top, which was
the original behavior discussed in that thread.

The version of the browser I installed was viewable in the Properties
tab in Windows Explorer is and the binary was signed on
March 31, 2015 9:22:00 AM.

While the infobar is a warning to users (I couldn't read the warning
text, but it linked to http://se.360.cn/jump/certificate-error.html ),
the browser automatically loaded the page and sent the user's cookies
to the site. Someone performing an attack would be able to steal the
user's cookies and authenticate as the user. If the attacker connected
the user back up to the original site (say Gmail) they would also see
all the responses the server sends back for that user, such as the
user's emails.

This is a really big security concern for your users, and undermines
TLS entirely.

I understand that a significant number of websites in China are using
self-signed or expired certificates, but there are becoming more and
more options for getting free certificates.  StartCom will provide
free certificates, the Let's Encrypt project is getting up to speed
and should be operating this year - but perhaps most usefully to the
Chinese community, WoSign will issue free certificates for sites:
https://buy.wosign.com/free/ and is localized.

I believe it's important for all members of the community (CAs,
browsers, websites, and users) to push each other forward towards more
secure deployments. No other modern browser will validate any of the
affected sites, if you also refuses to validate them (and protect your
users), the sites will have all the more encouragement to deploy a
valid SSL certificate.


More information about the Public mailing list