[cabfpub] 答复: 360 Browser & Cert Validation

高寒蕊 gaohanrui at 360.cn
Thu Apr 9 09:30:06 UTC 2015


Since last Oct, we have enabled the interception page to display warning messages for some sites which use invalid or expired certificates. But taking the China specific situation into consideration, this mechanism wasn't enabled for all sites. We have a list on cloud which controls for which sites the interception page should be displayed. And for those sites out of the list, we use the original means to warn the users, i.e., in both address-bar and the yellow infobar.

The list on cloud could be updated and come into force immediately when 360 sercurity team find any suspectables. So it can provide bothe the safety control and an acceptable experience for local users.

We'll add the free-certificates thing into our help page later to benefit the local sites and users.

Thanks!

-----邮件原件-----
发件人: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 代表 Erwann Abalea
发送时间: 2015年4月3日 3:18
收件人: public at cabforum.org
主题: Re: [cabfpub] 360 Browser & Cert Validation

Wasn't it supposedly corrected, as announced in https://cabforum.org/pipermail/public/2014-October/004356.html ?

--
Erwann ABALEA

Le 02/04/2015 20:59, Tom Ritter a écrit :
> Hi Hanrui,
>
> I wanted to follow up on the discussion back in October 
> (https://cabforum.org/pipermail/public/2014-October/004256.html ) on
> 360 SE/EE and certificate validation.  I downloaded 360SE and tested 
> it on a random site with an invalid certificate (a non-matching name 
> but it was a valid CA-signed cert).  The browser loaded the page 
> automatically and displayed the yellow infobar at the top, which was 
> the original behavior discussed in that thread.
>
> The version of the browser I installed was viewable in the Properties 
> tab in Windows Explorer is 7.1.1.580 and the binary was signed on 
> March 31, 2015 9:22:00 AM.
>
> While the infobar is a warning to users (I couldn't read the warning 
> text, but it linked to http://se.360.cn/jump/certificate-error.html ), 
> the browser automatically loaded the page and sent the user's cookies 
> to the site. Someone performing an attack would be able to steal the 
> user's cookies and authenticate as the user. If the attacker connected 
> the user back up to the original site (say Gmail) they would also see 
> all the responses the server sends back for that user, such as the 
> user's emails.
>
> This is a really big security concern for your users, and undermines 
> TLS entirely.
>
> I understand that a significant number of websites in China are using 
> self-signed or expired certificates, but there are becoming more and 
> more options for getting free certificates.  StartCom will provide 
> free certificates, the Let's Encrypt project is getting up to speed 
> and should be operating this year - but perhaps most usefully to the 
> Chinese community, WoSign will issue free certificates for sites:
> https://buy.wosign.com/free/ and is localized.
>
> I believe it's important for all members of the community (CAs, 
> browsers, websites, and users) to push each other forward towards more 
> secure deployments. No other modern browser will validate any of the 
> affected sites, if you also refuses to validate them (and protect your 
> users), the sites will have all the more encouragement to deploy a 
> valid SSL certificate.
>
> -tom
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list