Dinataspace Posted February 25, 2015 Report Share Posted February 25, 2015 I don't think Mx not checking certificates. On my trial error with this url https://superfish.xmarks.com/infected.png Mx can check/recognize the cert and know the cert is invalid and then prompt their user to continue visit or not. It just Mx behaviour which is not auto blocking bad content from fake or bad SSL certificates at all. It's really bad behaviour and put their users at risk. This security issue should be on top priority list. Link to comment Share on other sites More sharing options...
30112853 Posted February 25, 2015 Report Share Posted February 25, 2015 Dinataspace replied at 2015-2-24 22:12 I don't think Mx not checking certificates. On my trial error with this url https://superfish.xmarks ... Yes sometimes Maxthon does, that's what makes this so strange, but there are also sites where it appears it doesn't. Including the test sites for SuperFish: https://filippo.io/Badfish/ & https://lastpass.com/superfish/ All other browsers work fine on those sites (including chrome/chromium/internet explorer, of which Maxthon uses it's engines), so apparently there is an issue somewhere in Maxthon. Also when you go to https://nl.surveymonkey.com/ there is no lock icon to see if the certificate is being checked, whereas there is one on https://google.nl/ (using .nl because I get redirected see next point). Strangely though when I enter https://www.google.com I get redirected to https://www.google.nl/?gfe_rd=cr&ei=AKHtVMDMKc-Y-AbMlYGAAg and I get no lock icon, if I then enter that url manually, the lock icon suddenly appears. I'm not saying this is related or that it means there are no checks, but it does appear there are some issues with certificate checking. As you pointed out, this could pose a serious security risk it's better to be safe than sorry. Dismissing an issue like out of the box wouldn't be professional and I'm sure the guys from Maxthon won't do that. Link to comment Share on other sites More sharing options...
No.1MaxthonFan Posted February 25, 2015 Report Share Posted February 25, 2015 I think it's time to stop repeating the same thing over and over and over and over. They know there's a problem and we have to give them time to respond. In the mean time, if it really is a concern, stop using Maxthon and use another browser. Most who are posting are still using Maxthon in spite of the problem, so apparently it's not all that serious. Windows 10 64-bit build 10525/Windows 10 Mobile build 10512 Link to comment Share on other sites More sharing options...
Dinataspace Posted February 25, 2015 Report Share Posted February 25, 2015 30112853 replied at 2015-2-25 17:26 Yes sometimes Maxthon does, that's what makes this so strange, but there are also sites where it a ... As your mention with superfish site test, https://filippo.io/Badfish/ and https://lastpass.com/superfish/ both are using infected sampling to detect the superfish cert. In this case, lastpass.com is using https://superfish.xmarks.com/infected.png to detect the superfish existence which embeded on their html as an image. It's makes sense if Mx looks like not checking cert because Mx is not auto blocking bad content from bad SSL certificates which is mean all contents include the bad content like https://superfish.xmarks.com/infected.png will still automatically rendered without any prompt. This is really bad and off course it should be fixed on next release. Yes, it's not related but in case with https://nl.surveymonkey.com/ I'm not facing any issue, Mx still can check/recognize the rapidssl cert from ssl on that web (there is lock icon to ensure if the certificate has been checked). In case with Google redirection/forwarding, it's depend on geolocation (redirecting users based on their location or automatically choosing a country based on IP address). For example if you visit google.com and you are from Australia (eg. using proxy/ISP from Australia etc), you automatically get redirected to google.com.au. The same goes if you are from Holland, you will get automatically redirected to google.nl. It is widely used by big global organisations to redirect their main .com domain to local country based domains. It's not Mx bug. Here's the screenshot which was taken from https://nl.surveymonkey.com/ and https://google.nl Both on surveymonkey and google, there are a lock icon to ensure if the certificate has been checked by Mx. 11981 Last, lets wait to see the progress on next release. Link to comment Share on other sites More sharing options...
RagingRaven Posted February 25, 2015 Author Report Share Posted February 25, 2015 No.1MaxthonFan replied at 2015-2-25 03:03 I think it's time to stop repeating the same thing over and over and over and over. They know there ... You are right, we have said what we wanted to say, now it's up to the devs to look at it. Thanks everybody for responding and let's wait for a fix Link to comment Share on other sites More sharing options...
Guest Posted February 27, 2015 Report Share Posted February 27, 2015 Hi guys, Please, go to our blog http://www.maxthon.com/blog/update-superfish-and-maxthon/ and you will find your answers. Long story short: there is nothing to worry about. If Maxthon is the only browser that gives you a ‘you are at risk’ warning, you are safe. If other browsers give you the same warning than you should be concerned. Link to comment Share on other sites More sharing options...
-ody- Posted March 2, 2015 Report Share Posted March 2, 2015 AdminH replied at 2015-2-27 22:45 Hi guys, Please, go to our blog http://www.maxthon.com/blog/update-superfish-and-maxthon/ and you w ... false positive or not, it's fixed in last test version. We just have to wait for the new update ! 12106 Link to comment Share on other sites More sharing options...
Guest Posted March 2, 2015 Report Share Posted March 2, 2015 odyssee replied at 2015-3-2 03:37 false positive or not, it's fixed in last test version. We just have to wait for the new update ! ... I am glad it got resolved. I beleive new beta is coming shortly. Link to comment Share on other sites More sharing options...
Recommended Posts