Percy <percyal...@gmail.com> writes: >As we observed the large scale MITM against iCloud, Outlook, Google and >Github carried out on the backbone router with self-signed certs, and that >the browsers are explicitly loads self-signed certs, I think it's clear that >browsers in China are compelled by the gov to enable insecure cryptography by >default.
Is that really the government compelling them, or just the browser vendors deciding to enable a free market and/or remove dependency on non-Chinese CAs? If the browsers secretly trusted some government-run CA that'd be a different matter, but I'm not sure whether simply chosing to trust self-signed certs is a genuine smoking gun... Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
