Maxthon Browser Sends Sensitive Data to China

Lol ok sir.

 

Suffice to say I find Chen's answer very convenient and not particularly reassuring. I havent dug in beyond noting that Maxthon has a "freeware" license- can anyone even see the source code? I would assume if so the research team would have referenced the offending code, and thus it probably isnt open-source at all. I could be wrong.

I think in today's day and age open-source code is more important to privacy than anything else. You simply cant trust anyone with any form of power (obfuscation is a strong form of power) over you to not USE that power for their own benefit, even when it comes at the expense of their customer base. They will peddle some "oops" trope, revert whatever they were chided for, then quietly revert the change a year later when announcing new features, etc.

We've seen this time and time again. Even Chromium tried this (something to do with the microphone if I recall correctly)!

If you cant see the code- and dont have capable eyes periodically reviewing it- you simply cannot trust it only does what it says it does.

 

I'm just saying that most people won't bother to figure out if there is suspicious activity going on. And even for a more experienced user like me, it's sometimes hard to figure out, if those connections are legit or not. So I wouldn't be surprised if more browsers are tracking us. The thing is, they don't have to phone home all of the time. They can send tracking data just once a day, making it very hard to notice. I just hope people will continue to investigate popular browsers like Firefox, Chrome, Opera and Vivaldi.

 

Or once a week, once a month, once a year, only in response to commands issued from developer servers, only on some platforms and not others, only for a subset of users rather than all, beginning after one software update and ending with the next software update, etc.

Note, however, that there are ways to perform longer-term or fully continuous monitoring at the application level, local proxy level, software firewall level, dns level, and/or gateway level. Which involves some extra work obviously.

It is definitely needed and the more eyes the better. Thing is, most of the people that can do that will only do that when they think the investigation will prove that the application, feature, whatever is acceptable to them. As a result, the things most likely to be avoided by infosec/privacy focused users get less investigation than they could/should. Plus, few people take the time to write up what they find.

 

Yes, this is what worries me. My only hope is that browser developers and other companies are not willing to take the risk of major reputation damage when stuff like this does turn up.

I've read about the new Maxthon v5, which will feature an advanced cloud based password manager. I wonder how many people still feel comfortable with this, after this news. And BTW, I wasn't impressed with the other features either.

http://www.pcworld.com/article/3093...dy-browser-offers-paid-features-for-free.html

 

BTW, I did some more research, and I concluded that companies like Google and Facebook are somehow able to phone home, even when there are no active connections to the site. I noticed that Opera and Firefox still connect to these sites without any open tabs, but I wonder if the browser is to blame or not.

For the record, I'm using tools like Ghostery, ABP and uBlock to block ads and trackers. So I wonder what's going on, is it perhaps because of the so called "Flash Cookies"? I have not yet installed the BetterPrivacy extension. I also wonder what type of data is being transfered to these sites.

https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/

 

I'd suggest moving the Opera and Firefox phone home discussions to threads on those specific browsers. So that people familiar with and/or interested in them will be more likely to see the discussion. I commented on Firefox here: https://www.wilderssecurity.com/threads/firefox-lockdown.368003/page-9#post-2609749