On 30/10/16 12:39, 谭晓生 wrote: > That’s the dilemma we have: > Block the access to self-issued certificates, user will ignore and force > trust the certificated, bad behavior training, user might change to > competitor’s product. > Do not block the access, there are possibility to do the MITM attack, the > community complains.
These are not your only two options. You could build a system which was the opposite of Mozilla's OneCRL, or the equivalent of Microsoft's root list - i.e. a Qihoo-curated list of self-signed certificates which were to be trusted, which was dynamically downloaded by the browser on a regular basis. That way, you could enable these big sites without enabling all self-signed certificates. Why did 12306.cn and other sites actively reject using a publicly-trusted cert? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
