Jump to content
Tuts 4 You
SkyProud

SSL Labs's results on Chinese websites

Recommended Posts

SkyProud

Disclaimer: It is the evaluation of the website itself, not the content on it. Be
careful when assessing the content of these websites!

Summary:
HTTPS web mail:
QQ mail: A
163 mail(netease): A(This server's certificate will be distrusted by Google and Mozilla from September 2018. )
Sohu mail: C(This server's certificate will be distrusted by Google and Mozilla from September 2018. )
Sina mail: F

Website:
Taobao: B
Baidu: C
360: C(Router Test gets F)
Kingsoft(Jinshan): F
Huawei: T(hostname mismatch, browser gives bad message)

Online banking:
ICBC: B
BOC: C
CCB: C
ABchina: C
CMBchina: C

 

My comment:
I began my HTTPS tour in Chinese websites, using the Qualys SSL Labs as the benchmark. To
blacklist or to whitelist, it depends on you.

Among the results, QQ Mail gets a A rating, making it the only site which doesn't have any
problem amongst the tested popular sites. 163 Mail, although has got a A rating,

lacks of future browser trust. ICBC and Taobao, get B rating. A lot of them get a rating of C. 360, who

claimed itself to be safe, seems to be vulnerable to the POODLE attack , and one of its sub link, 

the router test, gets an F due to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107). Sina
Mail and Kingsoft get F, which have multiple vulnerabilities. The support site of Huawei, gets a T,
it has a hostname mismatch, the browser will give bad message about it.

I wonder how they could achieve this. You know, major oversea counterpart get A rating by
average. Even use the default settings by the SSL library could give a much better result!
If only they keep their HTTPS technology up to date and learn a little bit from the best
configured website:dunno:

Edited by SkyProud
Colour of rating text changed.

Share this post


Link to post
Share on other sites
SkyProud

Quick update:
Huawei puts a "403 Forbidden" message in the main page of their
support site, and set the HTTP server signature as "HIDDEN". Just show you what kind of tech
guys are behind it! And information of more sites:

azure.cn: A+ , Zhihu: A, 12306.cn: A

UnionPay: C
mail.miit.gov.cn: B(This server's certificate is not trusted by Apple and Java trust store)
www.12309.gov.cn:
F
email.sse.com.cn: B

Share this post


Link to post
Share on other sites
SkyProud

Quick update:
Huawei link is wrong, should be this one, grade F.
CFCA(China Financial Certification Authority) is a popular financial CA in China, its site gets grade C.

  • Thanks 1

Share this post


Link to post
Share on other sites
SkyProud

According to this Github issue, the Apple OS X 10.13 already has CFCA root, but the current official trust store of Java 8u161 does not have the CFCA root.

I check it by installing JRE 8u161 then type the following command in Windows:

"C:\Program Files\Java\jre1.8.0_161\bin\keytool.exe" -list -keystore "C:\Program Files\Java\jre1.8.0_161\lib\security\cacerts" > list1.txt

And find no Thumbprint of the CFCA root.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×