[cabfpub] 答复: 答复: 360 Browser & Cert Validation

Gervase Markham gerv at mozilla.org
Tue May 5 15:34:40 UTC 2015

[Picking up this thread]

On 10/04/15 07:35, 高寒蕊 wrote:
> > So the only sites where you use the secure behaviour are those known
> > to the 360 team to be malicious?
> - Yes. And so far, 360 secure team is the most reliable one and has
> the largest libs in China.

But your list of malicious sites would never include e.g. weibo.com,
would it? After all, weibo.com itself is not a malicious site.

So if I am an attacker, controlling someone's network connection, and I
spoof weibo.com with a bogus (say, self-signed) certificate, 360 Browser
will display a warning but will also display the content and send me,
the attacker, the user's weibo.com cookies. So I can then impersonate
them on weibo.com. And this could only be fixed by adding weibo.com to
your "malicious sites" list, which you aren't going to do.

Is that correct? Or have I misunderstood?


More information about the Public mailing list