[cabfpub] 答复: 答复: China MITMing icloud.com

[Gervase Markham]

On 22/10/14 10:36, 高寒蕊 wrote:
> Sorry, I forgot to mention that a lot of websites are using expired
> certificates or self-signed certificates in China. So it will bring a
> very bad user-experience to show a tough warning page for each visit
> to all these websites. Given that, 360 browser uses the infobar
> warning on the page instead of a whole warning page.

I suspected that this was the reason.

> We're now trying to amend the solution to meet with international
> practice. And that's why we applied to join the forum. We'll have a
> launch which brings the new design for the warning page this week.

I look forward to seeing that with interest. But remember, just making
the warnings more scary is simply like shouting "YOUR HOUSE HAS JUST
BEEN BURGLED" instead of saying it. You have to either not load the
page, or at the very minimum, not send any authentication information.

Also, if you load the page, users may be tempted to click through or
ignore the warning because "the page looks right". Users should not be
required to understand the threat model of MITM. Not showing them the
page avoids this understandable tendency.

So I would urge Qihoo 360 to a) update their browser not to load the
page when there is a certificate error; and b) work with CAs and sites
within China to improve the use of SSL certificates.

Gerv