在 2016年10月30日星期日 UTC+8下午8:40:37,谭晓生写道: > Nothing compelled by the gov to trust the self-issued certificates. > > It is because some very large website like 12306.cn(the only one online entry > to buy rail way tickets in China) and some government websites, they still > using self-issued certificates, even we tried to offer free trusted > certificates to them, they rejected. > If a local browser try to block the access to these websites, user will force > the browser to trust the self-issued certificates and complain, for the > behavior training to end users, it is also an issue, user will used to trust > the certificates which have a warning message by browsers, even there is a > MITM attack, they still could not identify it. > > That’s the dilemma we have: > Block the access to self-issued certificates, user will ignore and force > trust the certificated, bad behavior training, user might change to > competitor’s product. > Do not block the access, there are possibility to do the MITM attack, the > community complains. > > We already worked on a solution for a while and will release a report soon, > hopefully to find a tradeoff between user experience and security. > > Thanks, > Xiaosheng Tan > > > 发件人: Percy <[email protected]> > 日期: 2016年10月30日 星期日 下午4:01 > 至: 晓生 谭 <[email protected]> > 抄送: "[email protected]" > <[email protected]> > 主题: Re: StartCom & Qihoo Incidents > > As we observed the large scale MITM against iCloud, Outlook, Google and > Github carried out on the backbone router with self-signed certs, and that > the browsers are explicitly loads self-signed certs, I think it's clear that > browsers in China are compelled by the gov to enable insecure cryptography by > default. > > Percy > Alpha(PGP<https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) > > > On Sat, Oct 29, 2016 at 11:36 PM, 谭晓生 > <[email protected]<mailto:[email protected]>> wrote: > Is there anybody thought about why it happens in China? Why the local browser > did not block the self-issued certificates? > > Thanks, > Xiaosheng Tan > > > > 在 2016/10/30 > 下午1:17,“Percy”<[email protected]<mailto:[email protected]>> 写入: > > On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness > of the > > > entire company into question. And such trust, in my view, should be > > > evaluated when WoSign/StartCom submit their re-inclusion requests in > the > > > future. > > > > You can make that argument when WoSign/StartCom's reinclusion > discussions > > take place on this list. Now is not the appropriate time for that. > > > > - Matt > WoSign/StartCom's re-inclusion request might be a year from now. In the > meanwhile, those 400 million users will be exposed to MITM. That's why I'm > bringing it up now, rather than one year later. > _______________________________________________ > dev-security-policy mailing list > > [email protected]<mailto:[email protected]> > https://lists.mozilla.org/listinfo/dev-security-policy
I think that you can maintain a list to preload self-signed certificates, something like HSTS preload. For me the 12306's certficate has a securtiy exception for a long time and it still works. And there's any other government sites using self-signed certs? Who? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
