‘Today, we are very excited and proud to announce the launch of the 4.4.3.1000 Maxthon Final version. As always, Maxthon team is very appreciative to everyone who contributed to this release. It is nice to experience positive feedback on the work that we, Maxthon team are carrying out.’ ~ Blurb http://forum.maxthon.com/thread-13450-1-1.html
http://forum.maxthon.com/thread-13525-1-1.html Also, Maxthon Cloud Portable 4.4.3.2000 (web browser) Released, courtesy of PortableApps.com.
Is it possible yet to disable SSL 3.0? The Maxthon developers need to make the security settings accessible/configurable.
Doesn't look like it; still looking into it. Re: http://forum.maxthon.com/forum.php?mod=redirect&goto=findpost&ptid=13375&pid=71027
It sounds like they're intentionally masking SSL settings to protect users against themselves; not a good strategy IMHO.
Disabling SSL3 won't impact the vast majority of websites, and has to be done because it's widely exploited right now (Poodle). I have only found 1 website since disabling it that wouldn't load correctly, and that will be fixed eventually and it's a non-essential website. The good news is, anyone with a UTM or Enterprise Router is blocking SSL3 exploits already anyway. All of the major companies have already released IPS updates to watch for this. (Fortinet, ZyXEL, etc.)
In the real world, sitting behind my own router, on an Android platform, just how vulnerable am I to 'Poodle'?
Screenshot of blocked poodle attacks (UTM blocked) on my home network after 7 days. Make of it what you will.
I'm not sure what to make of that. In my limited understanding of the phenomenon it is only really likely to be a problem on public access WiFi. I am probably wrong though.
Yes, public (unencrypted) WiFi is more vulnerable as it makes the MITM component easier. In any case it makes sense to disable SSL 3.0 in favor of more secure TLS. That's easy to do in Internet Explorer and Firefox, and on the off chance that it breaks something you can revert back. https://www.us-cert.gov/ncas/alerts/TA14-290A Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access. These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
http://forum.maxthon.com/thread-13671-1-1.html Also, Maxthon Cloud Portable 4.4.3.3000 (web browser) Released, courtesy of PortableApps.com.
I don't think so. The extensions are downloaded directly from the browser itself from this page: http://extension.maxthon.com/
http://forum.maxthon.com/thread-13785-1-1.html Also, Maxthon Cloud Portable 4.4.3.4000 (web browser) Released, courtesy of PortableApps.com.
It seems they are very slow to push out the new versions via the internal updater. FYI SSL 3.0 is still enabled.
It's always been the same. I'm genuinely surprised when it actually does auto update lol. I also think the Android Maxthon version is the best Android browser I've used.
Daveski17, you're welcome! If it wasn't for the PortableApps.com version update, I wouldn't know it either!