SSL Labs's results on Chinese websites

[SkyProud]

Disclaimer: It is the evaluation of the website itself, not the content on it. Be
careful when assessing the content of these websites!

Summary:
HTTPS web mail:
QQ mail: A
163 mail(netease): A(This server's certificate will be distrusted by Google and Mozilla from September 2018. )
Sohu mail: C(This server's certificate will be distrusted by Google and Mozilla from September 2018. )
Sina mail: F

Website:
Taobao: B
Baidu: C
360: C(Router Test gets F)
Kingsoft(Jinshan): F
Huawei: T(hostname mismatch, browser gives bad message)

Online banking:
ICBC: B
BOC: C
CCB: C
ABchina: C
CMBchina: C

 

My comment:
I began my HTTPS tour in Chinese websites, using the Qualys SSL Labs as the benchmark. To
blacklist or to whitelist, it depends on you.

Among the results, QQ Mail gets a A rating, making it the only site which doesn't have any
problem amongst the tested popular sites. 163 Mail, although has got a A rating,

lacks of future browser trust. ICBC and Taobao, get B rating. A lot of them get a rating of C. 360, who

claimed itself to be safe, seems to be vulnerable to the POODLE attack , and one of its sub link, 

the router test, gets an F due to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107). Sina
Mail and Kingsoft get F, which have multiple vulnerabilities. The support site of Huawei, gets a T,
it has a hostname mismatch, the browser will give bad message about it.

I wonder how they could achieve this. You know, major oversea counterpart get A rating by
average. Even use the default settings by the SSL library could give a much better result!
If only they keep their HTTPS technology up to date and learn a little bit from the best
configured website

Edited February 10, 2018 by SkyProud
Colour of rating text changed.

[SkyProud]

Quick update:
Huawei puts a "403 Forbidden" message in the main page of their
support site, and set the HTTP server signature as "HIDDEN". Just show you what kind of tech
guys are behind it! And information of more sites:

azure.cn: A+ , Zhihu: A, 12306.cn: A

UnionPay: C
mail.miit.gov.cn: B(This server's certificate is not trusted by Apple and Java trust store)
www.12309.gov.cn: F
email.sse.com.cn: B

[SkyProud]

Quick update:
Huawei link is wrong, should be this one, grade F.
CFCA(China Financial Certification Authority) is a popular financial CA in China, its site gets grade C.

[SkyProud]

According to this Github issue, the Apple OS X 10.13 already has CFCA root, but the current official trust store of Java 8u161 does not have the CFCA root.

I check it by installing JRE 8u161 then type the following command in Windows:

"C:\Program Files\Java\jre1.8.0_161\bin\keytool.exe" -list -keystore "C:\Program Files\Java\jre1.8.0_161\lib\security\cacerts" > list1.txt

And find no Thumbprint of the CFCA root.

 

[SkyProud]

Quick update:

Some of Chinese popular video site:

Youku: A(This server is vulnerable to the Return Of Bleichenbacher's Oracle Threat (ROBOT) vulnerability. Grade will be set to F from March 2018. )

Iqiyi: A

Pear Video: A(This server's certificate will be distrusted by Google and Mozilla from September 2018. )

miaopai.com: F

[SkyProud]

Group by the HTTP server signature(unknown and private not included):

Apache: Baidu, CCB, UnionPay, CFCA, Iqiyi, 
Microsoft-IIS: CMBchina, azure.cn, 
nginx: QQ mail, 163 mail, Sohu mail, Taobao(fork of nginx), 360, Kingsoft, www.12309.gov.cn,
email.sse.com.cn, Youku(fork of nginx),