[cabfpub] 答复: 答复: China MITMing icloud.com

高寒蕊 gaohanrui at 360.cn
Wed Oct 22 02:36:47 MST 2014


Hi Gervase and all,

Sorry, I forgot to mention that a lot of websites are using expired certificates or self-signed certificates in China. So it will bring a very bad user-experience to show a tough warning page for each visit to all these websites. Given that, 360 browser uses the infobar warning on the page instead of a whole warning page.

We're now trying to amend the solution to meet with international practice. And that's why we applied to join the forum.
We'll have a launch which brings the new design for the warning page this week.

Thanks!


-----邮件原件-----
发件人: Gervase Markham [mailto:gerv at mozilla.org] 
发送时间: 2014年10月22日 16:31
收件人: 高寒蕊; richard.smith at comodo.com; public at cabforum.org
抄送: 石晓虹
主题: Re: [cabfpub] 答复: China MITMing icloud.com

Hi,

On 22/10/14 04:20, 高寒蕊 wrote:
> 360 browser can identify the fake certification and alert the users in 
> both address-bar and the infobar (the yellow tip right on top of the 
> page). Attached you can find the screenshot.

Even if you provide warnings, you still load the fake page. Which, as far as I know, means that the MITM server receives all the cookies and authentication information which the browser would automatically send to icloud.com.

This means that the MITM server now has the ability to impersonate the user, because they have copies of the user's cookies.

Isn't that right?

Why did you choose to differ from the behaviour of all other browsers, which refuse to load the page entirely?

Gerv



More information about the Public mailing list