Sign in to follow this  
Followers 0
Dinataspace

SSLv3 error alert

9 posts in this topic

Today, my girlfriend tells me if she gets an ssl error alert from the web which more or less like this.

"The client and server don’t support a common SSL protocol version or cipher suite. This is usually caused when the server needs SSLv3 support, which has been removed."

I have tried to check and do the SSLv3 test on https://zmap.io/sslv3/ and unfortunately both on Ultra or Retro mode got same result with this notice.

"Warning! Your browser supports SSLv3."

I also take some test on the other browser like Nitro, IE, Chrome, Yandex and Firefox and each one of those passes the test without warning and only Maxthon which is fails.

So, I just curious, is there a way to disable the SSLv3 in Maxthon? is Maxthon still safe for us?

Share this post


Link to post
Share on other sites

Just a bit correction, unfortunately Mx Nitro gets SSLv3 warning too. According to https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4 and https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ SSLv3 has been disabled by default since Chrome 39 and Firefox 34. So, I assumed it due the outdated chromium core on Mx Nitro.

I hope Mx will removing support for the fallback to SSLv3 on the next release.

Share this post


Link to post
Share on other sites

Hello ppl, I've read if the superfish vulnerability issue was fixed on Mx 4.4.4.2100 but is there any progress with this security issue on the latest silent beta version (Mx 4.4.4.2200) ?

Share this post


Link to post
Share on other sites

7twenty back.gif

Still there.

Thanks, 7twenty. The SSLv3 poodle vulnerability issue is also still persist on Mx 4.4.4.3000

Share this post


Link to post
Share on other sites

Unfortunately, a lot of services and servers depend on SSL, not just HTTPS sites.

Like: mail servers, SSH, and other business applications use custom port depend on SSL, and they all need to be updates to stop supporting SSLv3.

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle on Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Share this post


Link to post
Share on other sites

Hi Dinataspace,

Thank you for your feedback.

Really sorry for this inconvenience brought to you.

Sorry to tell you at present Maxhon do not support disabling SSLv3, so this might cause not being able to access some pages.

But we will disable it in future version. Please stay tuned.

Thank you for your support and understand.

Share this post


Link to post
Share on other sites

KelvinSmith replied at 2015-3-16 12:53 back.gif

Unfortunately, a lot of services and servers depend on SSL, not just HTTPS sites.

Like: mail servers ...

On this March, there is a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

The good news for us, Mx 4.4.4.3000 has passed this FREAK attack vulnerability issue. I don't know with the older Mx version but you can test the older Mx version with this link.

https://freakattack.com/clienttest.html

Share this post


Link to post
Share on other sites

Dinataspace replied at 2015-3-16 19:11 back.gif

On this March, there is a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker ...

Yeah. The FREAK Attack is latest in cyber vulnerability. After DDoS that lead to Internet slowdown globally, enterprises are under constant strain. Therefore, it becomes important for us to know about FREAK and adopt ways to safeguarding ourselves.

Share this post


Link to post
Share on other sites

Still vulnerable to POODLE though and I've been saying internally for ages SSLv3, and mixed active content handling, should be disabled. Of course, they still ship Flash Player 16 bundled which is known to be vulnerable also.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0