As we observed the large scale MITM against iCloud, Outlook, Google and Github carried out on the backbone router with self-signed certs, and that the browsers are explicitly loads self-signed certs, I think it's clear that browsers in China are compelled by the gov to enable insecure cryptography by default.
Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) On Sat, Oct 29, 2016 at 11:36 PM, 谭晓生 <[email protected]> wrote: > Is there anybody thought about why it happens in China? Why the local > browser did not block the self-issued certificates? > > Thanks, > Xiaosheng Tan > > > > 在 2016/10/30 下午1:17,“Percy”<[email protected]> 写入: > > On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > > Perhaps not. However, Qihoo 360's behavior calls the > trustworthiness of the > > > entire company into question. And such trust, in my view, should be > > > evaluated when WoSign/StartCom submit their re-inclusion requests > in the > > > future. > > > > You can make that argument when WoSign/StartCom's reinclusion > discussions > > take place on this list. Now is not the appropriate time for that. > > > > - Matt > > WoSign/StartCom's re-inclusion request might be a year from now. In > the meanwhile, those 400 million users will be exposed to MITM. That's why > I'm bringing it up now, rather than one year later. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
