[cabfpub] 答复: 答复: 答复: 360 Browser & Cert Validation

[Gervase Markham]

Hi Hanrui,

On 06/05/15 05:09, 高寒蕊 wrote:
> In short, it's not correct.
> 
> The list itself is not a "malicious sites" list. For those sites in
> the list, it doesn't mean that they are malicious, instead, it means
> that these sites are in potential danger, in other words, they might
> be attacked. And we are not showing the interception page for all
> visits to those site, we show the page only if a user visits them AND
> find the cert is illegal.
> 
> So if a popular site gets attacked, our secure team will find it and
> we'll add this site into the list immediately. And this will not
> affect users whose network are safe.

Thank you for helping me understand this. So it would be fair to say,
then, that 360 Browser maintains a list of sites which are protected
from SSL MITM cookie-stealing attacks, but any site not on that list is
vulnerable to such attacks.

Is the list of protected sites available to view?

Attacks can be very local - just one Wifi access point. If that's true,
isn't it pretty unlikely that your team will hear about the attack,
perhaps because the target does not realise an attack has happened or,
if they do, they don't know who to tell? And often, in a targetted
attack, the attacked site may not be a popular one (but important to the
person using it), so it's unlikely to be on your list.

Do other browsers used mainly in China, such as Baidu's browser,
Tencent's browser or Maxthon, have this approach to SSL warnings?

Gerv