Heartbleed bug/SSL vulnerability of common FS commerce sites

[Bob Scott 7,720]

Given the news of the Heartbleed SSL server bug, I ran the Qualys SSL security analysis on a number of common flight sim community commerce sites.  https://www.ssllabs.com/ssltest/analyze.html

 

Only one, captainsim.com, failed with a vulnerability to Heartbleed, however several others failed for other reasons.  Here are the graded results I got from the scanner, as of 11 Apr 2014.  Failures are listed first.

 

www.captainsim.com -- "F", vulnerable to Heartbleed SSL server bug

www.flightsimstore.com -- "F" (website used for Orbx sales)

www.pcaviator.com -- "F"

www.justflight.com -- "F"

 

 

secure.simmarket.com -- "A-"

www.aerosoft.com -- "C"

www.fspilotshop.com -- "B"

www.simw.com -- "B"

www.precisionmanuals.com -- "A-"

secure.bmtmicro.com -- "B" (used for payments by a number of add-on makers)

www.flight1.com -- "B"

 

Be careful with those credit cards!!

 

 

 

 

 

[BilboBaggins 82]

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

[Don t moderate me this way 882]

CC details could have been stolen before the FSS fixed their site.

 

After fixing, you are still advised to change your password for that site. (Same applies to any site that could be/have been affected.)

[tttocs 301]

www.flightsimstore.com -- "F" (website used for Orbx sales)

 

As with all grading systems, you have to understand the details.  flightsimstore got an "F" because their server is still allowed to support SSL 2, which is insecure.  However, you should set your browser to not allow SSL 2 (most browsers will be set this way by default unless you're running a very, very old browser).  As long as you're set this way, accessing their server will be fine.

 

As Oliver notes, data could have been scraped from ANY site which was originally vulnerable (which is a large chunk of the web).  It's wise to change passwords at this point AFTER verifying that the site in question is or has been fixed.

 

Scott

[odourboy 1,289]

Adrian over at orbxsystems.com/forums assures us their cloud provider has already taken care of the vulnerability, so that's one off the top list.

While Flightsimstore.com is not vulnerable to the Heatrbleed bug gets an F for several other exploits:

This server supports SSL 2, which is obsolete and insecure. Grade set to F.

This server does not mitigate the CRIME attack. Grade capped to B.

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

The server does not support Forward Secrecy with the reference browsers.

 

Edit: Oops - Scott beat me to it while I was composing my post.

[tttocs 301]

BTW, disabling SSL 2 is a fundamental requirement for PCI compliance which would be picked up in a compliance scan, so it is, um... curious to see any ecommerce site which accepts credit cards that still allows it.

 

Scott