Nothing compelled by the gov to trust the self-issued certificates. It is because some very large website like 12306.cn(the only one online entry to buy rail way tickets in China) and some government websites, they still using self-issued certificates, even we tried to offer free trusted certificates to them, they rejected. If a local browser try to block the access to these websites, user will force the browser to trust the self-issued certificates and complain, for the behavior training to end users, it is also an issue, user will used to trust the certificates which have a warning message by browsers, even there is a MITM attack, they still could not identify it.
That’s the dilemma we have: Block the access to self-issued certificates, user will ignore and force trust the certificated, bad behavior training, user might change to competitor’s product. Do not block the access, there are possibility to do the MITM attack, the community complains. We already worked on a solution for a while and will release a report soon, hopefully to find a tradeoff between user experience and security. Thanks, Xiaosheng Tan 发件人: Percy <[email protected]> 日期: 2016年10月30日 星期日 下午4:01 至: 晓生 谭 <[email protected]> 抄送: "[email protected]" <[email protected]> 主题: Re: StartCom & Qihoo Incidents As we observed the large scale MITM against iCloud, Outlook, Google and Github carried out on the backbone router with self-signed certs, and that the browsers are explicitly loads self-signed certs, I think it's clear that browsers in China are compelled by the gov to enable insecure cryptography by default. Percy Alpha(PGP<https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) On Sat, Oct 29, 2016 at 11:36 PM, 谭晓生 <[email protected]<mailto:[email protected]>> wrote: Is there anybody thought about why it happens in China? Why the local browser did not block the self-issued certificates? Thanks, Xiaosheng Tan 在 2016/10/30 下午1:17,“Percy”<[email protected]<mailto:[email protected]>> 写入: On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the > > entire company into question. And such trust, in my view, should be > > evaluated when WoSign/StartCom submit their re-inclusion requests in the > > future. > > You can make that argument when WoSign/StartCom's reinclusion discussions > take place on this list. Now is not the appropriate time for that. > > - Matt WoSign/StartCom's re-inclusion request might be a year from now. In the meanwhile, those 400 million users will be exposed to MITM. That's why I'm bringing it up now, rather than one year later. _______________________________________________ dev-security-policy mailing list [email protected]<mailto:[email protected]> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
