SSLv3 error alert


Recommended Posts

Today, my girlfriend tells me if she gets an ssl error alert from the web which more or less like this.

"The client and server don’t support a common SSL protocol version or cipher suite. This is usually caused when the server needs SSLv3 support, which has been removed."

I have tried to check and do the SSLv3 test on https://zmap.io/sslv3/ and unfortunately both on Ultra or Retro mode got same result with this notice.

"Warning! Your browser supports SSLv3."

I also take some test on the other browser like Nitro, IE, Chrome, Yandex and Firefox and each one of those passes the test without warning and only Maxthon which is fails.

So, I just curious, is there a way to disable the SSLv3 in Maxthon? is Maxthon still safe for us?

Link to comment
Share on other sites

Just a bit correction, unfortunately Mx Nitro gets SSLv3 warning too. According to https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4 and https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ SSLv3 has been disabled by default since Chrome 39 and Firefox 34. So, I assumed it due the outdated chromium core on Mx Nitro.

I hope Mx will removing support for the fallback to SSLv3 on the next release.

Link to comment
Share on other sites

Unfortunately, a lot of services and servers depend on SSL, not just HTTPS sites.

Like: mail servers, SSH, and other business applications use custom port depend on SSL, and they all need to be updates to stop supporting SSLv3.

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle on Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Link to comment
Share on other sites

Hi Dinataspace,

Thank you for your feedback.

Really sorry for this inconvenience brought to you.

Sorry to tell you at present Maxhon do not support disabling SSLv3, so this might cause not being able to access some pages.

But we will disable it in future version. Please stay tuned.

Thank you for your support and understand.

Link to comment
Share on other sites

KelvinSmith replied at 2015-3-16 12:53 back.gif

Unfortunately, a lot of services and servers depend on SSL, not just HTTPS sites.

Like: mail servers ...

On this March, there is a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

The good news for us, Mx 4.4.4.3000 has passed this FREAK attack vulnerability issue. I don't know with the older Mx version but you can test the older Mx version with this link.

https://freakattack.com/clienttest.html

Link to comment
Share on other sites

  • 3 weeks later...

Dinataspace replied at 2015-3-16 19:11 back.gif

On this March, there is a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker ...

Yeah. The FREAK Attack is latest in cyber vulnerability. After DDoS that lead to Internet slowdown globally, enterprises are under constant strain. Therefore, it becomes important for us to know about FREAK and adopt ways to safeguarding ourselves.

Link to comment
Share on other sites