Yawg Posted June 8, 2015 Report Share Posted June 8, 2015 The site: https://weakdh.org/ shows: Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser. and offers some more detailed explanations. I want to know if Maxthon devs know about this and if they're working on implementing a fix. It seems serious. Link to comment Share on other sites More sharing options...
~Ohke Posted June 8, 2015 Report Share Posted June 8, 2015 HTTPS websites, mail servers vulnerable HTTPS-crippling attack threatens tens of thousands of Web and mail servers HTTP: //forum.maxthon.com = so it's only when you visit a place via HTTPS you are vulnerable + Mails. This is good to know, thanks for posting. Same with Nitro... If you’re a sysadmin or developer…Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit. If you want to continue to support non-elliptic-curve Diffie-Hellman, at the very least, you should disable Group 1 support, by removing the diffie-hellman-group1-sha1 Key Exchange. It is fine to leave diffie-hellman-group14-sha1, which uses a 2048-bit prime. At least your safe with FREAK attack > https://freakattack.com/ (^^,) Best regards Ohke Link to comment Share on other sites More sharing options...
BugMiss006 Posted June 8, 2015 Report Share Posted June 8, 2015 Hi, Thanks for you question. It is same on my side in Ultra mode. Our product department will fix it in the release of next new core. However, you can change it to Retro mode and it will be fine. I hope this could help you. Have a nice day! Link to comment Share on other sites More sharing options...
Yawg Posted June 8, 2015 Author Report Share Posted June 8, 2015 Switching to Retro mode doesn't help with this, still receiving the same red warning. Another thing, partly on-topic, it seems Maxthon is quite behind on other security features too - 2 more problems shown by: https://www.ssllabs.com/ssltest/viewMyClient.html 1. SSL3 - the POODLE attack - it's like 7 months old and all major browsers have fixed it long ago, Maxthon still didn't 2. Mixed Content Handling - most browsers have no problems with this but Maxthon allows all of that and doesn't even always show a warning. Link to comment Share on other sites More sharing options...
BugMiss006 Posted June 12, 2015 Report Share Posted June 12, 2015 Hi, Thanks for your response. Your link is not available. Also, it works fine on my side after changing mode.Maybe you can have a try then. Link to comment Share on other sites More sharing options...
Ldfa Posted June 12, 2015 Report Share Posted June 12, 2015 I think this is the right link : https://www.ssllabs.com/ssltest/analyze.html?d=maxthon.com but it's on server side. Look at the difference : https://www.ssllabs.com/ssltest/analyze.html?d=maxthon-fr.com See ya, Ldfa. Link to comment Share on other sites More sharing options...
-ody- Posted June 12, 2015 Report Share Posted June 12, 2015 I think this is the right link : https://www.ssllabs.com/ssltest/analyze.html?d=maxthon.com but it's on server side. Look at the difference : https://www.ssllabs.com/ssltest/analyze.html?d=maxthon-fr.com this is surely something to consider ! Link to comment Share on other sites More sharing options...
7twenty Posted June 14, 2015 Report Share Posted June 14, 2015 Hmmmm concerning? Link to comment Share on other sites More sharing options...
Sapioit_ Posted July 8, 2015 Report Share Posted July 8, 2015 Hmmmm concerning?"Hmmmm" maybe I should stop using maxthon, as well... it just switched from one of the most secured browsers to one of the least secured... Link to comment Share on other sites More sharing options...
Dragoncho Posted August 10, 2015 Report Share Posted August 10, 2015 Hi all, please do not confuse the SSL Labs browser tests with the site tests. For the Logjam attack you should be aware that the latest Google Chrome Version 44.0.2403.130 m is also vulnerable to this attack according to these tests. We should all be concerned about security, but we should also assess the risks from those vulnerabilities and if they affect your work. Also, please keep in mind that some of the biggest security problems afftected almost all servers on the Internet, including the most secure ones. So, do not be aggressive about it, but give your best effort to help make this browser the best one. There is no software without bugs. And we are all humans. Here is the correct link again: https://www.ssllabs.com/ssltest/viewMyClient.html Link to comment Share on other sites More sharing options...
Dragoncho Posted January 6, 2016 Report Share Posted January 6, 2016 Hi again, not fixed in 4.9 so far. Chrome 47 does not show any warnings anymore. Link to comment Share on other sites More sharing options...
PHYR Posted January 6, 2016 Report Share Posted January 6, 2016 8 hours ago, Dragoncho said: Hi again, not fixed in 4.9 so far. Chrome 47 does not show any warnings anymore. On 6/8/2015, 6:30:00, Yawg said: Switching to Retro mode doesn't help with this, still receiving the same red warning. Another thing, partly on-topic, it seems Maxthon is quite behind on other security features too - 2 more problems shown by: https://www.ssllabs.com/ssltest/viewMyClient.html 1. SSL3 - the POODLE attack - it's like 7 months old and all major browsers have fixed it long ago, Maxthon still didn't 2. Mixed Content Handling - most browsers have no problems with this but Maxthon allows all of that and doesn't even always show a warning. 1. Switching to retro will help if you've disabled SLL3 in internet settings, neither logjam nor poodle show red warnings. Perhaps dependent on OS too? 2. Switching to retro shows that Maxthon handles mixed content like chrome, there is still a problem with images. Link to comment Share on other sites More sharing options...
7twenty Posted February 7, 2016 Report Share Posted February 7, 2016 8 months later and a new core and still these issues are not fixed... Considering the world has gotten very security conscious, i'd think this would and should have been a priority to get fixed. The odds of one of these attacks occurring may be small, but if users think the browser is less secure than any of the others, then they will automatically disregard it as an option. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.