Jump to content
Sign in to follow this  
Bob Scott

Heartbleed bug/SSL vulnerability of common FS commerce sites

Recommended Posts

Given the news of the Heartbleed SSL server bug, I ran the Qualys SSL security analysis on a number of common flight sim community commerce sites.  https://www.ssllabs.com/ssltest/analyze.html


Only one, captainsim.com, failed with a vulnerability to Heartbleed, however several others failed for other reasons.  Here are the graded results I got from the scanner, as of 11 Apr 2014.  Failures are listed first.


www.captainsim.com -- "F", vulnerable to Heartbleed SSL server bug

www.flightsimstore.com -- "F" (website used for Orbx sales)

www.pcaviator.com -- "F"

www.justflight.com -- "F"



secure.simmarket.com -- "A-"

www.aerosoft.com -- "C"

www.fspilotshop.com -- "B"

www.simw.com -- "B"

www.precisionmanuals.com -- "A-"

secure.bmtmicro.com -- "B" (used for payments by a number of add-on makers)

www.flight1.com -- "B"


Be careful with those credit cards!!






Bob Scott | President and CEO, AVSIM Inc
ATP Gulfstream II-III-IV-V

System: i9-13900KS @ 6.0GHz on custom water loop, ASUS Maximus Z790 Hero, 32GB GSkill 7800MHz CAS36, ASUS RTX4090
Samsung 55" JS8500 4K TV@30Hz,
3x 2TB WD SN850X 1x 4TB Crucial P3 M.2 NVME SSD, EVGA 1600T2 PSU, 1.2Gbps internet
Fiber link to Yamaha RX-V467 Home Theater Receiver, Polk/Klipsch 6" bookshelf speakers, Polk 12" subwoofer, 12.9" iPad Pro
PFC yoke/throttle quad/pedals with custom Hall sensor retrofit, Thermaltake View 71 case, Stream Deck XL button box

Share this post

Link to post

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

Share this post

Link to post

CC details could have been stolen before the FSS fixed their site.


After fixing, you are still advised to change your password for that site. (Same applies to any site that could be/have been affected.)

What happened to AVSIM

Share this post

Link to post

www.flightsimstore.com -- "F" (website used for Orbx sales)


As with all grading systems, you have to understand the details.  flightsimstore got an "F" because their server is still allowed to support SSL 2, which is insecure.  However, you should set your browser to not allow SSL 2 (most browsers will be set this way by default unless you're running a very, very old browser).  As long as you're set this way, accessing their server will be fine.


As Oliver notes, data could have been scraped from ANY site which was originally vulnerable (which is a large chunk of the web).  It's wise to change passwords at this point AFTER verifying that the site in question is or has been fixed.



Share this post

Link to post

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

While Flightsimstore.com is not vulnerable to the Heatrbleed bug gets an F for several other exploits:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server does not mitigate the CRIME attack. Grade capped to B.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

The server does not support Forward Secrecy with the reference browsers.


Edit: Oops - Scott beat me to it while I was composing my post.

13900K@5.8GHz - ROG Strix Z790-E - 2X16Gb G.Skill Trident DDR5 6400 CL32 - MSI RTX 4090 Suprim X - WD SN850X 2 TB M.2 - XPG S70 Blade 2 TB M.2 - 58" Panasonic TC-58AX800U 4K - Pico 4 (incoming) - WinWing HOTAS Orion2 MAX - ProFlight Pedals - TrackIR 5 - W11 Pro (Passmark:12574, CPU:63110-Single:4785, GPU:50688)

Share this post

Link to post

BTW, disabling SSL 2 is a fundamental requirement for PCI compliance which would be picked up in a compliance scan, so it is, um... curious to see any ecommerce site which accepts credit cards that still allows it.



Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
  • Tom Allensworth,
    Founder of AVSIM Online

  • Flight Simulation's Premier Resource!

    AVSIM is a free service to the flight simulation community. AVSIM is staffed completely by volunteers and all funds donated to AVSIM go directly back to supporting the community. Your donation here helps to pay our bandwidth costs, emergency funding, and other general costs that crop up from time to time. Thank you for your support!

    Click here for more information and to see all donations year to date.
  • Create New...