Dinataspace Posted March 1, 2015 Report Share Posted March 1, 2015 Today, my girlfriend tells me if she gets an ssl error alert from the web which more or less like this. "The client and server don’t support a common SSL protocol version or cipher suite. This is usually caused when the server needs SSLv3 support, which has been removed." I have tried to check and do the SSLv3 test on https://zmap.io/sslv3/ and unfortunately both on Ultra or Retro mode got same result with this notice. "Warning! Your browser supports SSLv3." I also take some test on the other browser like Nitro, IE, Chrome, Yandex and Firefox and each one of those passes the test without warning and only Maxthon which is fails. So, I just curious, is there a way to disable the SSLv3 in Maxthon? is Maxthon still safe for us? Link to comment Share on other sites More sharing options...
Dinataspace Posted March 1, 2015 Author Report Share Posted March 1, 2015 Just a bit correction, unfortunately Mx Nitro gets SSLv3 warning too. According to https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4 and https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ SSLv3 has been disabled by default since Chrome 39 and Firefox 34. So, I assumed it due the outdated chromium core on Mx Nitro. I hope Mx will removing support for the fallback to SSLv3 on the next release. Link to comment Share on other sites More sharing options...
Dinataspace Posted March 8, 2015 Author Report Share Posted March 8, 2015 Hello ppl, I've read if the superfish vulnerability issue was fixed on Mx 4.4.4.2100 but is there any progress with this security issue on the latest silent beta version (Mx 4.4.4.2200) ? Link to comment Share on other sites More sharing options...
Dinataspace Posted March 12, 2015 Author Report Share Posted March 12, 2015 7twenty Still there. Thanks, 7twenty. The SSLv3 poodle vulnerability issue is also still persist on Mx 4.4.4.3000 Link to comment Share on other sites More sharing options...
KelvinSmith Posted March 16, 2015 Report Share Posted March 16, 2015 Unfortunately, a lot of services and servers depend on SSL, not just HTTPS sites. Like: mail servers, SSH, and other business applications use custom port depend on SSL, and they all need to be updates to stop supporting SSLv3. All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle on Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. Link to comment Share on other sites More sharing options...
BugMiss006 Posted March 16, 2015 Report Share Posted March 16, 2015 Hi Dinataspace, Thank you for your feedback. Really sorry for this inconvenience brought to you. Sorry to tell you at present Maxhon do not support disabling SSLv3, so this might cause not being able to access some pages. But we will disable it in future version. Please stay tuned. Thank you for your support and understand. Link to comment Share on other sites More sharing options...
Dinataspace Posted March 16, 2015 Author Report Share Posted March 16, 2015 KelvinSmith replied at 2015-3-16 12:53 Unfortunately, a lot of services and servers depend on SSL, not just HTTPS sites. Like: mail servers ... On this March, there is a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. The good news for us, Mx 4.4.4.3000 has passed this FREAK attack vulnerability issue. I don't know with the older Mx version but you can test the older Mx version with this link. https://freakattack.com/clienttest.html Link to comment Share on other sites More sharing options...
KelvinSmith Posted April 2, 2015 Report Share Posted April 2, 2015 Dinataspace replied at 2015-3-16 19:11 On this March, there is a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker ... Yeah. The FREAK Attack is latest in cyber vulnerability. After DDoS that lead to Internet slowdown globally, enterprises are under constant strain. Therefore, it becomes important for us to know about FREAK and adopt ways to safeguarding ourselves. Link to comment Share on other sites More sharing options...
bricky149 Posted April 2, 2015 Report Share Posted April 2, 2015 Still vulnerable to POODLE though and I've been saying internally for ages SSLv3, and mixed active content handling, should be disabled. Of course, they still ship Flash Player 16 bundled which is known to be vulnerable also. Link to comment Share on other sites More sharing options...
Recommended Posts