360 have 2 version of browser, 360 Security browser(IE kernal) and 360 topspeed browser (Chromium kernal). I tested a self-signed cert in Win7 with these 2 version browser, both will throw a cert alert(untrusted cert) in address bar. Please see belowing pictures,
I think end-users might have ignored the warning in the address bar, so 360 should set alert both in page and address bar. PS: I can’t access <https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-a ttack-coincides-launch-new-iphone> https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-at tack-coincides-launch-new-iphone in China, would you please send a screen shot while you visit this website in 360 browser? Regards, An Yin CA Product Manager China Internet Network Information Center (CNNIC) --------------------------------------------------- -----邮件原件----- 发件人: [email protected] [mailto:[email protected]] 代表 Gervase Markham 发送时间: 2014年10月21日 18:49 收件人: [email protected] 主题: China MITMing icloud.com <https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-a ttack-coincides-launch-new-iphone> https://en.greatfire.org/blog/2014/oct/china-collecting-apple-icloud-data-at tack-coincides-launch-new-iphone Cert is here: <http://www.mediafire.com/download/ampbnqncc277krv/fakeicloudcert.zip> http://www.mediafire.com/download/ampbnqncc277krv/fakeicloudcert.zip I'd be very interested to know why (as reported) the Qihoo 360 browser doesn't throw an error for this cert. Does it accept all self-signed certs without complaint? Or is there something special about this one? If so, what exactly? If anyone (presumably with a copy of Windows) wants to dig into that, it would be really great. Gerv _______________________________________________ dev-security-policy mailing list <mailto:[email protected]> [email protected] <https://lists.mozilla.org/listinfo/dev-security-policy> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
