Sign in to follow this  
w6kd

Heartbleed bug/SSL vulnerability of common FS commerce sites

Recommended Posts

Given the news of the Heartbleed SSL server bug, I ran the Qualys SSL security analysis on a number of common flight sim community commerce sites.  https://www.ssllabs.com/ssltest/analyze.html

 

Only one, captainsim.com, failed with a vulnerability to Heartbleed, however several others failed for other reasons.  Here are the graded results I got from the scanner, as of 11 Apr 2014.  Failures are listed first.

 

www.captainsim.com -- "F", vulnerable to Heartbleed SSL server bug

www.flightsimstore.com -- "F" (website used for Orbx sales)

www.pcaviator.com -- "F"

www.justflight.com -- "F"

 

 

secure.simmarket.com -- "A-"

www.aerosoft.com -- "C"

www.fspilotshop.com -- "B"

www.simw.com -- "B"

www.precisionmanuals.com -- "A-"

secure.bmtmicro.com -- "B" (used for payments by a number of add-on makers)

www.flight1.com -- "B"

 

Be careful with those credit cards!!

 

 

 

 

 

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

Share this post


Link to post
Share on other sites

CC details could have been stolen before the FSS fixed their site.

 

After fixing, you are still advised to change your password for that site. (Same applies to any site that could be/have been affected.)

Share this post


Link to post
Share on other sites

www.flightsimstore.com -- "F" (website used for Orbx sales)

 

As with all grading systems, you have to understand the details.  flightsimstore got an "F" because their server is still allowed to support SSL 2, which is insecure.  However, you should set your browser to not allow SSL 2 (most browsers will be set this way by default unless you're running a very, very old browser).  As long as you're set this way, accessing their server will be fine.

 

As Oliver notes, data could have been scraped from ANY site which was originally vulnerable (which is a large chunk of the web).  It's wise to change passwords at this point AFTER verifying that the site in question is or has been fixed.

 

Scott

Share this post


Link to post
Share on other sites

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

While Flightsimstore.com is not vulnerable to the Heatrbleed bug gets an F for several other exploits:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

The server does not support Forward Secrecy with the reference browsers.

 

Edit: Oops - Scott beat me to it while I was composing my post.

Share this post


Link to post
Share on other sites

BTW, disabling SSL 2 is a fundamental requirement for PCI compliance which would be picked up in a compliance scan, so it is, um... curious to see any ecommerce site which accepts credit cards that still allows it.

 

Scott

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this