[cabfpub] 答复: 答复: 答复: 360 Browser & Cert Validation

[高寒蕊]

Hi Gervase,

In short, it's not correct.

The list itself is not a "malicious sites" list.
For those sites in the list, it doesn't mean that they are malicious, instead, it means that these sites are in potential danger, in other words, they might be attacked.
And we are not showing the interception page for all visits to those site, we show the page only if a user visits them AND find the cert is illegal.

So if a popular site gets attacked, our secure team will find it and we'll add this site into the list immediately. And this will not affect users whose network are safe.

Thanks!



-----邮件原件-----
发件人: Gervase Markham [mailto:gerv at mozilla.org] 
发送时间: 2015年5月5日 23:35
收件人: 高寒蕊; Erwann Abalea; public at cabforum.org
抄送: 石晓虹; 贾正强
主题: Re: 答复: [cabfpub] 答复: 360 Browser & Cert Validation

[Picking up this thread]

On 10/04/15 07:35, 高寒蕊 wrote:
> > So the only sites where you use the secure behaviour are those known 
> > to the 360 team to be malicious?
> 
> - Yes. And so far, 360 secure team is the most reliable one and has 
> the largest libs in China.

But your list of malicious sites would never include e.g. weibo.com, would it? After all, weibo.com itself is not a malicious site.

So if I am an attacker, controlling someone's network connection, and I spoof weibo.com with a bogus (say, self-signed) certificate, 360 Browser will display a warning but will also display the content and send me, the attacker, the user's weibo.com cookies. So I can then impersonate them on weibo.com. And this could only be fixed by adding weibo.com to your "malicious sites" list, which you aren't going to do.

Is that correct? Or have I misunderstood?

Gerv