[akaiser]

Why not just pretend you do TLS and simply don't show MITM attacks to your users like the (also somehow Chinese) CM Browser does? https://medium.com/@dEad0r/cm-browser-insecurity-can-chinese...

[dijit]

If you own the machine simply install a CA. Instant trusted everything. Be sure to drop those pesky certificate pinning headers in http though.

In fact I believe sslstrip can do all this for you. Including giving it a CA to generate certificates out of.

[akaiser]

The article describes the fact that the CM Browser ignores certificate errors and shows websites as though they were properly secured. Having an actual proper setup (with a trusted CA etc.) wouldn't help here, because a MITM attack would not be visible, because the middle man's certificate would be shown as valid in any case.

I assume Tencent's QQ Browser validates certificates properly, but combined with a horrible RSA implementation that's not worth anything. It's actually a more clever (less visible) way of pretending to establish secure/authenticated connections.