[cabfpub] Draft Zurich F2F Meeting agenda

Geoff Keating geoffk at apple.com
Wed Apr 8 01:33:52 UTC 2015


> On 7 Apr 2015, at 5:51 pm, Richard Wang <richard at wosign.com> wrote:
> 
> WoSign just finish a test for all browser’s warning in SSL problem, especially for China brand browsers.
> 
>  
> 
> We found a maybe-problem for browsers (IE/Chrome/Safari/Opera) that:
> 
> (1)   Test scenarios: install a untrusted root to Windows Trusted root, and the untrusted root issued SSL for a bank site, and set the local host to this site fraud IP;
> 
> (2)   Result:  when we use IE/ Chrome/Safari/Opera visit this fraud site that the fraud SSL certificate, the browsers no warning, only Firefox, 360 Browser, UC Browser have the redirect security warning.
> 
> (3)   Suggestion: I think all browser should NOT trust all manual installed root and should detect the local host file modification, and give warning.
> 
>  
> 
> Anyone think this problem need to discuss in next F2F meeting?
> 

This is a normal scenario if the user is intentionally using a SSL intercepting firewall.  I am not super comfortable with the existence of SSL intercepting firewalls but if they must exist this is how you use them.

However, at least Safari should never show a green EV indicator in this situation, and I think this is the same for all browsers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150407/e18600d7/attachment-0001.p7s>


More information about the Public mailing list