Maxthon not checking certificates?


Recommended Posts

When I do the Superfish CA Test (https://filippo.io/Badfish/) it tells me anyone can intercept the connections made from Maxthon.

I tried in both Ultra and Retro mode, both say the certificate isn't checked.

I also tried in Internet Explorer, Chrome, Opera and Firefox and each one of those passes the test, but only Maxthon fails.

Please check this, because this is a serious security risk.

Also, it seems this might be related to this:

http://forum.maxthon.com/thread-13281-1-1.html

Link to comment
Share on other sites

I'm getting the same result too, although I had no idea that it's Maxthon that's causing it. I don't have Superfish so I've been trying to find out why I'm failing the security test. IF it's Maxthon, then that would explain a lot. I've complained here before about Chinese pop ups appearing, recently it's Facebook pages automatically refreshing and so on. Am I being intercepted via Maxthon? This needs seriously checked.

Link to comment
Share on other sites

Seeing as I forgot, my browser versions:

Maxthon: 4.4.3.4000

IE: 11.0.9600.17633

Opera: 27.0.1689.69

Chrome: 40.0.2214.115 m

Firefox: 35.0.1

I've not seen any strange behavior as Mist has though, but I do find this serious enough to drop this browser when doing my banking business and any payments.

I would also encourage anybody else not to do any online banking or payments through Maxthon until this issue is fixed, because if certificates aren't checked, a man in the middle attack would be peanuts.

Link to comment
Share on other sites

How do you find which certificates are connected to Maxthon? There's none listed as Maxthon on my Trusted Certificates List. Do they use a different name or title, or is there a country, perhaps China, which identifies them? I'd like to remove the Maxthon certificates and see what happens when I check the Superfish test page. If I still fail the test, then I know it's something else.

Link to comment
Share on other sites

Oliver One replied

You said 4.4.3.4000, but here I see 4.4.0.3000! Your UA is not updated? Post time Yesterday 23:31

@ Oliver - I looked on the 'about' page there it says 4.4.3.4000, but in the custom user agent string in advanced options it says 4.4.0.3000, I guess this one doesn't get updated when updating to a new version (which is pretty logical).

But I'm pretty sure the user agent string doesn't affect checking certificates.

Link to comment
Share on other sites

Just to be sure I also tried with updated custom user agent string and with custom user agent string disabled.

Both give the same result, so the user agent string is totally unrelated.

I also tried from work, where I have window 8.1 instead of 7, so OS seems unrelated as well.

I saw there was an official release of maxthon version 4.4.4.2000 (doesn't come with auto updates yet apparently), and tried it with that version as well.

Unfortunately this version also has the issue.

Link to comment
Share on other sites

I raised it on their FB page last night and the guy responded that I was right, he'd just checked it on a Lenovo laptop!! I had to remind him that I wasn't using anything connected with Lenovo, nor was there a Superfish certificate on my machine and that everything was OK whilst using different browsers. I felt embarrassed for the guy because there were no further replies after that, he was obviously just trying to palm me off with some excuse and platitudes.

Link to comment
Share on other sites

Ohke replied at 2015-2-21 08:00 back.gif

If you find any names like this, in your Installed Programs

and also under your Trusted Certificate ...

I have a lenovo Desktop and there are no certificates on this machine running Windows 10 Technical Preview 9926 and no installed software either, so it is Maxthon that is giving me a false positive.

post3dmg4_zps398d3651.jpgWindows 10 64-bit build 10525/Windows 10 Mobile build 10512

Link to comment
Share on other sites

I'm not on a Lenovo laptop or a Lenovo desktop for that matter.

I'm on a home-built computer, an Asus laptop and desktop from HP.

All have the same issue, but only in Maxthon.

If it was actually an infection with superfish, it would give the same response in all browsers, not just in Maxthon.

It's not our computers, it's Maxthon.

Just to make things a bit more clear, I work in a computer repair shop, and I've actually tried this on a clean install on a newly built computer.

Again only Maxthon gives a problem, none of the other browsers do this.

Link to comment
Share on other sites

moss33 replied at 2015-2-22 18:47 back.gif

So, is it safety using maxthon before they fix this?

Basically no, because if certifices aren't check for validity, then a corrupt party could inject their own certificate and intercept all traffic you send/receive.

For instance, if you go to your online banking account and enter your login information a third party could intercept your codes and use them to make transactions to themselves.

This is called a man-in-the-middle attack.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

So for websites which only show you some info, this isn't too big of a deal, but for any site where you enter user-data it is a serious issue.

So until this is fixed, I would suggest not doing anything which requires you to enter usernames/passwords and the like.

For those instances I'd suggest using another browser (chrome, firefox, opera).

Link to comment
Share on other sites

Can I ask why this thread has been moved to user voices?

I didn't get a notice and couldn't find it at first.

Secondly I don't think user voices is a good category...this issue is extremely serious and should get more attention than what user voices suggests.

To me user voices sounds like user's opinions and this most definitely isn't just an opinion.

Link to comment
Share on other sites

Agreed, it almost feels like they want to bury this :p

And it appears to work as Google no longer finds the topic when you search for 'Superfish Maxthon', whereas it was the top result before this thread got moved.

And apparently others can't find the topic neither: http://forum.maxthon.com/forum.php?mod=viewthread&tid=14630&extra=page%3D1%26filter%3Dtypeid%26typeid%3D132%26typeid%3D132

Link to comment
Share on other sites

I'm pretty concerned about this. I used Paypal before I knew about this situation but since I have, I've gone ahead and changed my Paypal password because that's the one that's dealing with money. Is there any others I should be changing, email, Ebay, and so on? I've got a vast amount of accounts which may all be vulnerable now and it'll take me a fair bit of time to change all their passwords and stuff.

This is pretty shocking behaviour from Maxthon. I wonder if they've been spying on Maxthon users all this time until Superfish hit the headlines? I've reported Chinese pop ups and other strange behaviours here lots of times and just been more or less dismissed but it's the fact that they moved this thread and tried to bury that's got my suspicions up.

Link to comment
Share on other sites

Mist001 replied at 2015-2-24 19:31 back.gif

I'm pretty concerned about this. I used Paypal before I knew about this situation but since I have, ...

Stop acting like a paranoid, lol !

Flash is buggy, Windows is also buggy.

Google, Microsoft are spying you too.

You can always stop using all this fishy software.

No one force you to using Maxthon.

Wait when holidays in China ends and we will see then what Maxthon dev's say about this.

For now I would advise you to end up spinning the own conspiracy theory.

Link to comment
Share on other sites

Mist001 replied at 2015-2-24 18:31 back.gif

I'm pretty concerned about this. I used Paypal before I knew about this situation but since I have, ...

complete rubbish imo - if you are worried about all you say then find the off button on your computer - that will solve all you are worried about

Tony     -  Vivaldi 4 on Windows 10 64Bit
Link to comment
Share on other sites

Well, I think you're all wrong not to be concerned about this. These are more or less the same responses that I got when I was reporting the Chinese pop ups with Maxthon. If anyone gets robbed whilst using Maxthon, is there any recompense? No. I'm asking about the risks, you clowns are acting like you know all the risks already when really, you know nothing.

Link to comment
Share on other sites

i know that the minute i turn my pc on and access the internet there are risks - i dont think there are more or less with this - like i said press the off button or use another browser

nothing will happen until they get back to work so you have to choose

Tony     -  Vivaldi 4 on Windows 10 64Bit
Link to comment
Share on other sites

Mist001 replied at 2015-2-25 04:31 back.gif

I've reported Chinese pop ups and other strange behaviours here lots of times and just been more or less dismissed but it's the fact that they moved this thread and tried to bury that's got my suspicions up.I don't think they've been dismissed, just that there was no solid info found to confirm exactly what it was. Nothing has been explicitly stated either way.

As far as the thread being "buried"... you're trying to make something out of nothing. The thread was accidentally moved to User Voices when it was merged with another thread (post #15). That was nothing more than the Mod doing the merge not noticing what forum the merged thread was allocated to. This was fixed as soon as they were notified, and nothing to do with your paranoia about Maxthon trying to hide stuff. If we were trying to make it look like Maxthon is the perfect browser then 99% of the threads here would be deleted :-P

I wonder if they've been spying on Maxthon users all this time until Superfish hit the headlines?I'm not sure if you realise but Maxthon's install base is tiny compared to any of the other browsers. The odds that anyone would be specifically targeting it (even in light of this apparent issue) is highly unlikely.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.