[cabfpub] 答复: China MITMing icloud.com

Gervase Markham gerv at mozilla.org
Wed Oct 22 01:52:22 MST 2014


On 22/10/14 09:47, Eddy Nigg wrote:
> If I approve a certificate exception in Firefox, IE or any other browser
> it will do the same, no? 

Yes, indeed. But that's after a user has explicitly taken action to
approve the exception, after reading what the browser has to say about
why this might not be a good idea.

If, today, you are using the Qihoo 360 browser inside China and you
visit icloud.com, your cookies are leaked immediately. If you visit
somesite.com and it has any sort of resource load from icloud.com, your
cookies are leaked immediately (and without you even knowing it had
happened).

This is very different to the behaviour in other browsers.

Gerv


More information about the Public mailing list