Jump to content
Tuts 4 You

SSL Labs's results on Chinese websites


Recommended Posts

Disclaimer: It is the evaluation of the website itself, not the content on it. Be
careful when assessing the content of these websites!

HTTPS web mail:
QQ mail: A
163 mail(netease): A(This server's certificate will be distrusted by Google and Mozilla from September 2018. )
Sohu mail: C(This server's certificate will be distrusted by Google and Mozilla from September 2018. )
Sina mail: F

Taobao: B
Baidu: C
360: C(Router Test gets F)
Kingsoft(Jinshan): F
Huawei: T(hostname mismatch, browser gives bad message)

Online banking:
ABchina: C
CMBchina: C


My comment:
I began my HTTPS tour in Chinese websites, using the Qualys SSL Labs as the benchmark. To
blacklist or to whitelist, it depends on you.

Among the results, QQ Mail gets a A rating, making it the only site which doesn't have any
problem amongst the tested popular sites. 163 Mail, although has got a A rating,

lacks of future browser trust. ICBC and Taobao, get B rating. A lot of them get a rating of C. 360, who

claimed itself to be safe, seems to be vulnerable to the POODLE attack , and one of its sub link, 

the router test, gets an F due to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107). Sina
Mail and Kingsoft get F, which have multiple vulnerabilities. The support site of Huawei, gets a T,
it has a hostname mismatch, the browser will give bad message about it.

I wonder how they could achieve this. You know, major oversea counterpart get A rating by
average. Even use the default settings by the SSL library could give a much better result!
If only they keep their HTTPS technology up to date and learn a little bit from the best
configured website:dunno:

Edited by SkyProud
Colour of rating text changed.
Link to comment

Quick update:
Huawei puts a "403 Forbidden" message in the main page of their
support site, and set the HTTP server signature as "HIDDEN". Just show you what kind of tech
guys are behind it! And information of more sites:

azure.cn: A+ , Zhihu: A, 12306.cn: A

UnionPay: C
mail.miit.gov.cn: B(This server's certificate is not trusted by Apple and Java trust store)
email.sse.com.cn: B

Link to comment

According to this Github issue, the Apple OS X 10.13 already has CFCA root, but the current official trust store of Java 8u161 does not have the CFCA root.

I check it by installing JRE 8u161 then type the following command in Windows:

"C:\Program Files\Java\jre1.8.0_161\bin\keytool.exe" -list -keystore "C:\Program Files\Java\jre1.8.0_161\lib\security\cacerts" > list1.txt

And find no Thumbprint of the CFCA root.


Link to comment
  • 3 weeks later...

Group by the HTTP server signature(unknown and private not included):

Apache: Baidu, CCB, UnionPay, CFCA, Iqiyi, 
Microsoft-IIS: CMBchina, azure.cn, 
nginx: QQ mail, 163 mail, Sohu mail, Taobao(fork of nginx), 360, Kingsoft, www.12309.gov.cn,
email.sse.com.cn, Youku(fork of nginx), 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...