Maxthon not checking certificates?


Recommended Posts

I don't think Mx not checking certificates. On my trial error with this url https://superfish.xmarks.com/infected.png Mx can check/recognize the cert and know the cert is invalid and then prompt their user to continue visit or not.

It just Mx behaviour which is not auto blocking bad content from fake or bad SSL certificates at all. It's really bad behaviour and put their users at risk. This security issue should be on top priority list.

Link to comment
Share on other sites

Dinataspace replied at 2015-2-24 22:12 back.gif

I don't think Mx not checking certificates. On my trial error with this url https://superfish.xmarks ...

Yes sometimes Maxthon does, that's what makes this so strange, but there are also sites where it appears it doesn't.

Including the test sites for SuperFish: https://filippo.io/Badfish/ & https://lastpass.com/superfish/

All other browsers work fine on those sites (including chrome/chromium/internet explorer, of which Maxthon uses it's engines), so apparently there is an issue somewhere in Maxthon.

Also when you go to https://nl.surveymonkey.com/ there is no lock icon to see if the certificate is being checked, whereas there is one on https://google.nl/ (using .nl because I get redirected see next point).

Strangely though when I enter https://www.google.com I get redirected to https://www.google.nl/?gfe_rd=cr&ei=AKHtVMDMKc-Y-AbMlYGAAg and I get no lock icon, if I then enter that url manually, the lock icon suddenly appears.

I'm not saying this is related or that it means there are no checks, but it does appear there are some issues with certificate checking.

As you pointed out, this could pose a serious security risk it's better to be safe than sorry.

Dismissing an issue like out of the box wouldn't be professional and I'm sure the guys from Maxthon won't do that.

Link to comment
Share on other sites

I think it's time to stop repeating the same thing over and over and over and over. They know there's a problem and we have to give them time to respond. In the mean time, if it really is a concern, stop using Maxthon and use another browser. Most who are posting are still using Maxthon in spite of the problem, so apparently it's not all that serious.

post3dmg4_zps398d3651.jpgWindows 10 64-bit build 10525/Windows 10 Mobile build 10512

Link to comment
Share on other sites

30112853 replied at 2015-2-25 17:26 back.gif

Yes sometimes Maxthon does, that's what makes this so strange, but there are also sites where it a ...

As your mention with superfish site test, https://filippo.io/Badfish/ and https://lastpass.com/superfish/ both are using infected sampling to detect the superfish cert. In this case, lastpass.com is using https://superfish.xmarks.com/infected.png to detect the superfish existence which embeded on their html as an image. It's makes sense if Mx looks like not checking cert because Mx is not auto blocking bad content from bad SSL certificates which is mean all contents include the bad content like https://superfish.xmarks.com/infected.png will still automatically rendered without any prompt. This is really bad and off course it should be fixed on next release.

Yes, it's not related but in case with https://nl.surveymonkey.com/ I'm not facing any issue, Mx still can check/recognize the rapidssl cert from ssl on that web (there is lock icon to ensure if the certificate has been checked).

In case with Google redirection/forwarding, it's depend on geolocation (redirecting users based on their location or automatically choosing a country based on IP address). For example if you visit google.com and you are from Australia (eg. using proxy/ISP from Australia etc), you automatically get redirected to google.com.au. The same goes if you are from Holland, you will get automatically redirected to google.nl. It is widely used by big global organisations to redirect their main .com domain to local country based domains. It's not Mx bug.

Here's the screenshot which was taken from https://nl.surveymonkey.com/ and https://google.nl Both on surveymonkey and google, there are a lock icon to ensure if the certificate has been checked by Mx.

11981

Last, lets wait to see the progress on next release.

post-30898809-14315124185671_thumb.gif

Link to comment
Share on other sites

No.1MaxthonFan replied at 2015-2-25 03:03 back.gif

I think it's time to stop repeating the same thing over and over and over and over. They know there ...

You are right, we have said what we wanted to say, now it's up to the devs to look at it.

Thanks everybody for responding and let's wait for a fix :)

Link to comment
Share on other sites

odyssee replied at 2015-3-2 03:37 back.gif

false positive or not, it's fixed in last test version. We just have to wait for the new update !

...

I am glad it got resolved. I beleive new beta is coming shortly.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.