[cabfpub] 360 Browser & Cert Validation

Erwann Abalea erwann.abalea at opentrust.com
Thu Apr 2 19:17:42 UTC 2015


Wasn't it supposedly corrected, as announced in 
https://cabforum.org/pipermail/public/2014-October/004356.html ?

-- 
Erwann ABALEA

Le 02/04/2015 20:59, Tom Ritter a écrit :
> Hi Hanrui,
>
> I wanted to follow up on the discussion back in October
> (https://cabforum.org/pipermail/public/2014-October/004256.html ) on
> 360 SE/EE and certificate validation.  I downloaded 360SE and tested
> it on a random site with an invalid certificate (a non-matching name
> but it was a valid CA-signed cert).  The browser loaded the page
> automatically and displayed the yellow infobar at the top, which was
> the original behavior discussed in that thread.
>
> The version of the browser I installed was viewable in the Properties
> tab in Windows Explorer is 7.1.1.580 and the binary was signed on
> March 31, 2015 9:22:00 AM.
>
> While the infobar is a warning to users (I couldn't read the warning
> text, but it linked to http://se.360.cn/jump/certificate-error.html ),
> the browser automatically loaded the page and sent the user's cookies
> to the site. Someone performing an attack would be able to steal the
> user's cookies and authenticate as the user. If the attacker connected
> the user back up to the original site (say Gmail) they would also see
> all the responses the server sends back for that user, such as the
> user's emails.
>
> This is a really big security concern for your users, and undermines
> TLS entirely.
>
> I understand that a significant number of websites in China are using
> self-signed or expired certificates, but there are becoming more and
> more options for getting free certificates.  StartCom will provide
> free certificates, the Let's Encrypt project is getting up to speed
> and should be operating this year - but perhaps most usefully to the
> Chinese community, WoSign will issue free certificates for sites:
> https://buy.wosign.com/free/ and is localized.
>
> I believe it's important for all members of the community (CAs,
> browsers, websites, and users) to push each other forward towards more
> secure deployments. No other modern browser will validate any of the
> affected sites, if you also refuses to validate them (and protect your
> users), the sites will have all the more encouragement to deploy a
> valid SSL certificate.
>
> -tom
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list