如果你正在使用中國的最熱門瀏覽器，那要小心了，因為這很可能不太保險。多倫多大學公民實驗室的研究人員曾抨擊UC瀏覽器和百度瀏覽器不安全，最近又指出廣泛使用的Windows版和安卓版QQ瀏覽器也存在重大安全問題。

安全研究人員指出，QQ瀏覽器將用戶個人信息傳回騰訊服務器時，要么根本不加防護，要么使用很容易破解的加密方式。

他們推斷，這可能是專門留下的后門，旨在擴大行政部門的監控范圍。

Windows版和安卓版QQ瀏覽器都會返回瀏覽網頁的地址，以及上網所用手機或電腦的識別信息。安卓版QQ瀏覽器還會返回用戶在搜索框里輸入的關鍵詞，采取的防護手段同樣脆弱不堪。

此外，這些研究人員稱，兩種版本的QQ瀏覽器在軟件升級機制上都存在漏洞，別人可以利用漏洞在用戶的設備上安裝惡意軟件。

這些問題為什么重要？首先，幾乎一半的中國手機用戶都在使用安卓版QQ瀏覽器。研究人員指出：

不安全的數據傳輸方式意味著路徑內的任何行為方（比如，用戶的網絡服務提供商、咖啡店的WiFi網絡，或者通過其中任何一種接入點進入網絡的惡意行為方）都能通過收集信息流，通過一些手段解密后就能獲取各種個人信息。

中國這幾家瀏覽器的用戶要擔心的還不僅是偶然的攻擊。此前，愛德華?斯諾登泄露的信息顯示，情報部門很清楚UC瀏覽器（在中國和印度有5億多用戶）存在的類似漏洞，并且在利用漏洞監控公眾。關于這一點，公民實驗室2015年5月也已經證實。

QQ瀏覽器、UC瀏覽器和百度瀏覽器上相似的安全漏洞引起了研究人員的懷疑，他們曾向騰訊詢問是否存在深層次的原因，但騰訊一直未答復。不過，在被指出問題后，騰訊確實改進了QQ瀏覽器的部分安全機制，但在研究人員看來安全性仍然不夠。

研究人員在報告中指出，出現種種安全漏洞可能是因為行業潛規則，也或許是行政壓力。畢竟，中國的科技公司受制于諸多監管條例，不得不協助政府工作。

他們寫道：“公司高層之所以設置大范圍數據收集功能，有可能是應安全部門的要求，也有可能是為了取悅安全部門。要驗證假設，還需要更進一步研究。”（財富中文網）

譯者：Charlie

審校：夏林

It’s probably not a great idea to use China’s top web browsers. After slamming the security of the UC and Baidu mobile browsers, researchers from Citizen Lab at the University of Toronto have now identified serious problems with both the Windows and Android versions of Tencent’s widely-used QQ Browser.

According to the security researchers, Tencent’s browsers transmitted personal user information back to the company’s servers with either no protection at all, or poorly implemented encryption that could easily be broken.

The researchers theorized these could be deliberate backdoors, aimed at expanding state surveillance.

Both versions sent back the addresses of visited pages, along with identifying data about the phones or computers being used for the surfing. The Android version of the QQ Browser also sent back search terms that the user typed into the address bar, again with poor security protection.

What’s more, the researchers said, there were holes in the software-update mechanisms for both browsers, making it possible for someone to send malware to the user’s device.

Why does all this matter? Firstly, the Android version of the QQ Browser is used by almost half of all Chinese mobile users. Here’s what the researchers said:

This insecure data transmission means that any in-path actor (such as a user’s ISP, a coffee shop WiFi network, or a malicious actor with network visibility across any of these type of access points) would be able to acquire this personal data by collecting traffic and performing any necessary decryption.

It’s not just random attackers that users of these Chinese browsers need to be concerned about. As Citizen Lab demonstrated last May, Edward Snowden’s leaks showed that similar vulnerabilities in the UC Browser (used by over half a billion people in China and India) were known to intelligence services, and used to spy on people.

Suspicious of the similarities between the security holes in the QQ, UC and Baidu browsers, the researchers said they asked Tencent whether there was a underlying reason. They received no answer, but Tencent did strengthen some of the browsers’ security mechanisms after being notified of them — though not to the satisfaction of the researchers.

In their paper, the researchers suggested the flaws could result from poor industry norms and/or pressure from the authorities, who want to be able to easily spy on citizens. After all, China has numerous regulations on tech firms, demanding that they aid authorities.

“It is reasonable to hypothesize that company officers put in place wide-reaching data gathering functionalities either at the request of, or to appease the preferences of, China’s security services,” they wrote. “More research is needed to evaluate this hypothesis.”