April 11, 201412 yr Given the news of the Heartbleed SSL server bug, I ran the Qualys SSL security analysis on a number of common flight sim community commerce sites. https://www.ssllabs.com/ssltest/analyze.html Only one, captainsim.com, failed with a vulnerability to Heartbleed, however several others failed for other reasons. Here are the graded results I got from the scanner, as of 11 Apr 2014. Failures are listed first. www.captainsim.com -- "F", vulnerable to Heartbleed SSL server bug www.flightsimstore.com -- "F" (website used for Orbx sales) www.pcaviator.com -- "F" www.justflight.com -- "F" secure.simmarket.com -- "A-" www.aerosoft.com -- "C" www.fspilotshop.com -- "B" www.simw.com -- "B" www.precisionmanuals.com -- "A-" secure.bmtmicro.com -- "B" (used for payments by a number of add-on makers) www.flight1.com -- "B" Be careful with those credit cards!! Bob Scott | President and CEO, AVSIM Inc ATP Gulfstream II-III-IV-V Sys1 (MSFS20+24/XPlane12+11): AMD 9800X3D, water 2x240mm, MSI MPG X670E Carbon, 64GB GSkill 6000/30, nVidia RTX4090FE Alienware AW3821DW 38" 21:9 GSync, 2x4TB Crucial T705 PCIe5 + 2x2TB Samsung 990 SSD, EVGA 1000P2 PSU, 12.9" iPad Pro Thrustmaster TCA Boeing Yoke, TCA Airbus Sidestick, Twin TCA Airbus Throttle quads, PFC Cirrus Pedals, Coolermaster HAF932 case Sys2 (P3Dv5/v4): i9-13900KS, water 2x360mm, ASUS Z790 Hero, 32GB GSkill 7800MHz CAS36, ASUS RTX4090 Samsung 55" JS8500 4K TV@60Hz, 3x 2TB WD SN850X 1x 4TB Crucial P3 M.2 NVME SSD, EVGA 1600T2 PSU Fiber link to Yamaha RX-V467 Home Theater Receiver, Polk/Klipsch 6" bookshelf speakers, Polk 12" subwoofer, 12.9" iPad Pro PFC yoke/throttle quad/pedals with custom Hall sensor retrofit, Thermaltake View 71 case, Stream Deck XL button box Sys3 (DCS/P3Dv4/ATS/ETS): AMD 7800X3D, MSI MPG X870E Carbon, Noctua NH-D15S, 64GB GSkill 6000/30, EVGA RTX3090 Alienware AW3420DW 34" 21:9 GSync, Corsair HX1000i PSU, 4TB Crucial T705 PCIe5 + 2TB Samsung 970Evo Plus, TM TCA Officer Pack, Saitek combat pedals, TM Warthog, TM RS300 FF wheel/pedals, Coolermaster HAF XB case
April 11, 201412 yr Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.
April 11, 201412 yr CC details could have been stolen before the FSS fixed their site. After fixing, you are still advised to change your password for that site. (Same applies to any site that could be/have been affected.) What happened to AVSIM
April 11, 201412 yr www.flightsimstore.com -- "F" (website used for Orbx sales) As with all grading systems, you have to understand the details. flightsimstore got an "F" because their server is still allowed to support SSL 2, which is insecure. However, you should set your browser to not allow SSL 2 (most browsers will be set this way by default unless you're running a very, very old browser). As long as you're set this way, accessing their server will be fine. As Oliver notes, data could have been scraped from ANY site which was originally vulnerable (which is a large chunk of the web). It's wise to change passwords at this point AFTER verifying that the site in question is or has been fixed. Scott
April 11, 201412 yr Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list. While Flightsimstore.com is not vulnerable to the Heatrbleed bug gets an F for several other exploits: This server supports SSL 2, which is obsolete and insecure. Grade set to F. This server does not mitigate the CRIME attack. Grade capped to B. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. The server does not support Forward Secrecy with the reference browsers. Edit: Oops - Scott beat me to it while I was composing my post. [email protected] - ROG Strix Z790-E - 2X16Gb G.Skill Trident DDR5 6400 CL32 - MSI RTX 4090 Suprim X - WD SN850X 2 TB M.2 - XPG S70 Blade 2 TB M.2 - MSI A1000G PCIE5 1000 W 80+ Gold PSU - Liam Li 011 Dynamic Razer case - 58" Panasonic TC-58AX800U 4K - Pico 4 VR HMD - WinWing HOTAS Orion2 MAX - ProFlight Pedals - TrackIR 5 - W11 Pro (Passmark:12574, CPU:63110-Single:4785, GPU:50688)
April 11, 201412 yr BTW, disabling SSL 2 is a fundamental requirement for PCI compliance which would be picked up in a compliance scan, so it is, um... curious to see any ecommerce site which accepts credit cards that still allows it. Scott
Create an account or sign in to comment