[cabfpub] 答复: 答复: 答复: China MITMing icloud.com

高寒蕊 gaohanrui at 360.cn
Mon Oct 27 02:17:48 MST 2014 

Dear all,



Here's the udpate for 360 secure explorer's new design on warning a fake certificate.

Just like the screenshots, we use an obvious red warning to show the message to the user in the new versions.



[cid:image003.jpg at 01CFF209.ED71CF40]



You can verify it by downloading the official version 7.1.1.518 or the beta version 7.2.0.116 from our official website<http://se.360.cn/>.



Thank you!



Yours sincerely,

360 Browser







-----邮件原件-----
发件人: Gervase Markham [mailto:gerv at mozilla.org]
发送时间: 2014年10月22日 17:43
收件人: 高寒蕊; richard.smith at comodo.com; public at cabforum.org
抄送: 石晓虹
主题: Re: 答复: [cabfpub] 答复: China MITMing icloud.com



On 22/10/14 10:36, 高寒蕊 wrote:

> Sorry, I forgot to mention that a lot of websites are using expired

> certificates or self-signed certificates in China. So it will bring a

> very bad user-experience to show a tough warning page for each visit

> to all these websites. Given that, 360 browser uses the infobar

> warning on the page instead of a whole warning page.



I suspected that this was the reason.



> We're now trying to amend the solution to meet with international

> practice. And that's why we applied to join the forum. We'll have a

> launch which brings the new design for the warning page this week.



I look forward to seeing that with interest. But remember, just making the warnings more scary is simply like shouting "YOUR HOUSE HAS JUST BEEN BURGLED" instead of saying it. You have to either not load the page, or at the very minimum, not send any authentication information.



Also, if you load the page, users may be tempted to click through or ignore the warning because "the page looks right". Users should not be required to understand the threat model of MITM. Not showing them the page avoids this understandable tendency.



So I would urge Qihoo 360 to a) update their browser not to load the page when there is a certificate error; and b) work with CAs and sites within China to improve the use of SSL certificates.



Gerv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141027/3c0fb044/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 9009 bytes
Desc: image003.jpg
Url : https://cabforum.org/pipermail/public/attachments/20141027/3c0fb044/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: new_ca_warning.jpg
Type: image/jpeg
Size: 92088 bytes
Desc: new_ca_warning.jpg
Url : https://cabforum.org/pipermail/public/attachments/20141027/3c0fb044/attachment-0003.jpg

More information about the Public mailing list