As far as I can access, following sub domains are also using non-secure TLS: https://syuhai.kuronekoyamato.co.jp/ https://takuhai-locker.kuronekoyamato.co.jp/ https://c2.kuronekoyamato.co.jp/ https://okurijyoinji.kuronekoyamato.co.jp/ https://jizen.kuronekoyamato.co.jp/ https://otodoke.kuronekoyamato.co.jp/ https://tenkyo-tenso.kuronekoyamato.co.jp/ https://auction.kuronekoyamato.co.jp/ https://tsuhanshokai.kuronekoyamato.co.jp/ https://mytoi.kuronekoyamato.co.jp/ https://repair.kuroneko-kadendr.jp/ All of them are Kuroneko-Yamato's services for personal users. So, I guess that there are other sub domains (or other domains like the last one?) for enterprise users (I cannot access enterprise user's site). Anyway, they add a sub domain for every service. Therefore, I think that we should allow *.kuronekoyamato.co.jp and *.kuroneko-kadendr.jp. If we won't do so, they could add new sub domain before or after we ship the behavior in release builds.

Ah, and this: https://bmypage.kuronekoyamato.co.jp/ This sub domain has a page to log-in of enterprise users.

Hmm, they are "contact us" pages: https://form.kuronekoyamato.co.jp/ https://contact-us.kuronekoyamato.co.jp/

I will add them to whitelist, but they should really fix the servers. In particular, we will have to turn off RC4 completely in the near future.

More subdomains from bug 1084025 comment #112: https://adsearch.kuronekoyamato.co.jp/ https://bmypageapi.kuronekoyamato.co.jp/ https://docrecycle.kuronekoyamato.co.jp/ https://golfsearch.kuronekoyamato.co.jp/ https://maplink.kuronekoyamato.co.jp/ https://mobile.kuronekoyamato.co.jp/ https://mobileotodoke.kuronekoyamato.co.jp/ https://ship-book.kuronekoyamato.co.jp/ https://smp-cmypage.kuronekoyamato.co.jp/ https://uketori.kuronekoyamato.co.jp/ https://repairmb.kuroneko-kadendr.jp/

Hopefully the news about the RC4 attack when it is presented at Black Hat Asia 2015 will help.

FYI, this site was SSLv3 exclusive until December 2014.

Fixed.