30112853

Dinataspace replied at 2015-2-24 22:12 I don't think Mx not checking certificates. On my trial error with this url https://superfish.xmarks ... Yes sometimes Maxthon does, that's what makes this so strange, but there are also sites where it appears it doesn't. Including the test sites for SuperFish: https://filippo.io/Badfish/ & https://lastpass.com/superfish/ All other browsers work fine on those sites (including chrome/chromium/internet explorer, of which Maxthon uses it's engines), so apparently there is an issue somewhere in Maxthon. Also when you go to https://nl.surveymonkey.com/ there is no lock icon to see if the certificate is being checked, whereas there is one on https://google.nl/ (using .nl because I get redirected see next point). Strangely though when I enter https://www.google.com I get redirected to https://www.google.nl/?gfe_rd=cr&ei=AKHtVMDMKc-Y-AbMlYGAAg and I get no lock icon, if I then enter that url manually, the lock icon suddenly appears. I'm not saying this is related or that it means there are no checks, but it does appear there are some issues with certificate checking. As you pointed out, this could pose a serious security risk it's better to be safe than sorry. Dismissing an issue like out of the box wouldn't be professional and I'm sure the guys from Maxthon won't do that.

It's okay odyssee, I forgive you And I didn't really think you were doing it on purpose, that's why I said almost and used the ':P'

Agreed, it almost feels like they want to bury this And it appears to work as Google no longer finds the topic when you search for 'Superfish Maxthon', whereas it was the top result before this thread got moved. And apparently others can't find the topic neither: http://forum.maxthon.com/forum.php?mod=viewthread&tid=14630&extra=page%3D1%26filter%3Dtypeid%26typeid%3D132%26typeid%3D132

moss33 replied at 2015-2-22 18:47 So, is it safety using maxthon before they fix this? Basically no, because if certifices aren't check for validity, then a corrupt party could inject their own certificate and intercept all traffic you send/receive. For instance, if you go to your online banking account and enter your login information a third party could intercept your codes and use them to make transactions to themselves. This is called a man-in-the-middle attack. http://en.wikipedia.org/wiki/Man-in-the-middle_attack So for websites which only show you some info, this isn't too big of a deal, but for any site where you enter user-data it is a serious issue. So until this is fixed, I would suggest not doing anything which requires you to enter usernames/passwords and the like. For those instances I'd suggest using another browser (chrome, firefox, opera).