On October 30, 2016 8:39:55 PM GMT+08:00, "谭晓生" <tanxiaosh...@360.cn> wrote: >Nothing compelled by the gov to trust the self-issued certificates. > >It is because some very large website like 12306.cn(the only one online >entry to buy rail way tickets in China) and some government websites, >they still using self-issued certificates, even we tried to offer free >trusted certificates to them, they rejected. >If a local browser try to block the access to these websites, user will >force the browser to trust the self-issued certificates and complain, >for the behavior training to end users, it is also an issue, user will >used to trust the certificates which have a warning message by >browsers, even there is a MITM attack, they still could not identify >it. > >That’s the dilemma we have: >Block the access to self-issued certificates, user will ignore and >force trust the certificated, bad behavior training, user might change >to competitor’s product. >Do not block the access, there are possibility to do the MITM attack, >the community complains. > >We already worked on a solution for a while and will release a report >soon, hopefully to find a tradeoff between user experience and >security. > >Thanks, >Xiaosheng Tan Hi, Tan.
I once visited my college webvpn website which is use self-signed certs, but 360 browser continued load which was shocked me. It is not a **government website**(like your said 12306.cn), and I need know certs error. As a Chinese netizen, I don't think that browser should not tell users something serious happened which some users may not know how to operate. Sincerely, He -------- PGP key-id=0x12f3d9a31960c4d4 PGP key Fingerprint=C793 674B 8F3D A78E 5600 834D 408C 9364 0A6D 0519 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy