Jump to content

Archived

This topic is now archived and is closed to further replies.

w6kd

Heartbleed bug/SSL vulnerability of common FS commerce sites

Recommended Posts

Given the news of the Heartbleed SSL server bug, I ran the Qualys SSL security analysis on a number of common flight sim community commerce sites.  https://www.ssllabs.com/ssltest/analyze.html

 

Only one, captainsim.com, failed with a vulnerability to Heartbleed, however several others failed for other reasons.  Here are the graded results I got from the scanner, as of 11 Apr 2014.  Failures are listed first.

 

www.captainsim.com -- "F", vulnerable to Heartbleed SSL server bug

www.flightsimstore.com -- "F" (website used for Orbx sales)

www.pcaviator.com -- "F"

www.justflight.com -- "F"

 

 

secure.simmarket.com -- "A-"

www.aerosoft.com -- "C"

www.fspilotshop.com -- "B"

www.simw.com -- "B"

www.precisionmanuals.com -- "A-"

secure.bmtmicro.com -- "B" (used for payments by a number of add-on makers)

www.flight1.com -- "B"

 

Be careful with those credit cards!!

 

 

 

 

 


Bob Scott | AVSIM Forums Administrator | AVSIM Board of Directors
ATP Gulfstream II-III-IV-V

System: i9-10900K @ 5.2GHz on custom water loop, ASUS Maximus XII Hero, 32GB GSkill 3600MHz CAS15, EVGA RTX3090 XC3 Ultra
Samsung 55" JS8500 4K TV@30Hz,
3x NVME 2x SATA Samsung SSD, EVGA 1KW PSU, 1.2Gbps internet
SoundBlaster XFi Titanium, TOSLINK to Yamaha RX-V467 HT Rcvr, Polk/Klipsch 6" bookshelf spkrs, Polk 12" subwoofer, 12.9" iPad Pro
PFC yoke/throttle quad/pedals with custom Hall sensors, Coolermaster HAF932 case, Stream Deck XL button box

Share this post


Link to post

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

Share this post


Link to post

CC details could have been stolen before the FSS fixed their site.

 

After fixing, you are still advised to change your password for that site. (Same applies to any site that could be/have been affected.)


What happened to AVSIM

Share this post


Link to post

www.flightsimstore.com -- "F" (website used for Orbx sales)

 

As with all grading systems, you have to understand the details.  flightsimstore got an "F" because their server is still allowed to support SSL 2, which is insecure.  However, you should set your browser to not allow SSL 2 (most browsers will be set this way by default unless you're running a very, very old browser).  As long as you're set this way, accessing their server will be fine.

 

As Oliver notes, data could have been scraped from ANY site which was originally vulnerable (which is a large chunk of the web).  It's wise to change passwords at this point AFTER verifying that the site in question is or has been fixed.

 

Scott

Share this post


Link to post

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

While Flightsimstore.com is not vulnerable to the Heatrbleed bug gets an F for several other exploits:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

The server does not support Forward Secrecy with the reference browsers.

 

Edit: Oops - Scott beat me to it while I was composing my post.


7700K@4.8 GHz - MSI Z270-A Pro - 4x8Gb Corsair Vengeance DDR4 @3000 MHz - ZOTAC GTX 1080 TI @1683 MHz - 58" Panasonic TC-58AX800U 4K - Saitek X-55 'Rhino', ProFlight Pedals - TrackIR 5 - W10 Home 64 - P3D v4 - XP11 - MSFS

Share this post


Link to post

BTW, disabling SSL 2 is a fundamental requirement for PCI compliance which would be picked up in a compliance scan, so it is, um... curious to see any ecommerce site which accepts credit cards that still allows it.

 

Scott

Share this post


Link to post
  • Tom Allensworth,
    Founder of AVSIM Online


  • Flight Simulation's Premier Resource!

    AVSIM is a free service to the flight simulation community. AVSIM is staffed completely by volunteers and all funds donated to AVSIM go directly back to supporting the community. Your donation here helps to pay our bandwidth costs, emergency funding, and other general costs that crop up from time to time. Thank you for your support!

    Click here for more information and to see all donations year to date.
  • Donation Goals

    AVSIM's 2020 Fundraising Goal

    Donate to our annual general fundraising goal. This donation keeps our doors open and providing you service 24 x 7 x 365. Your donation here helps to pay our bandwidth costs, emergency funding, and other general costs that crop up from time to time. We reset this goal every new year for the following year's goal.


    50%
    $12,660.00 of $25,000.00 Donate Now
×
×
  • Create New...