View Full Version : Heartbleed

22-04-2014, 12:35 PM
I was wondering how you are with this Heartbleed nasty that's around. Is your website updated to protect transactions or should we change passwords?

22-04-2014, 12:53 PM
I don't know anything about it Pru. I'd be interested to know what others think.

22-04-2014, 12:58 PM
It's a bug that has recently been unveiled in the OpenSSL (secure sockets layer) implementations used extremely widely for encrypted traffic. AFAICT it affects all Linux-based implementations - but I don't think any MS IIS installations are affected. Which makes me grumpy :)


A bit of a bugger, all told. It's good practice to regularly change passwords anyway.

22-04-2014, 12:59 PM
As far as my non-techy brain understands it's a matter of whether sites using online trading software are using the particular (I believe common) software affected and whether the site has been patched against this Heartbleed pest. Hence the question. Beyond that I dunno nutin'!

But I spend lots of money here so it'd be good to know it's all OK.

((and hi Carole! :wave:)

22-04-2014, 01:00 PM
So has the Cooksons site been updated do you know Peter?

I understand you need to change passwords after a site has been made secure.

22-04-2014, 01:08 PM
It's not just trading sites - Wikipedia was using a flawed implementation.

Cooksons, despite my mocking (and now having to eat a little bit of humble pie) I believe use Microsoft IIS - which does not use OpenSSL at all. I'd wait for Rob to confirm that though (the IIS bit, I know IIS doesn't use OpenSSL).

22-04-2014, 01:19 PM
As Peter has said, we use IIS and this doesn't use OpenSSL. Cooksongold has recently had a PCI security scan run on it, which it has passed.

22-04-2014, 01:21 PM
Excellent! Many thanks Dave and Peter. :)

22-04-2014, 01:23 PM
How do I find out what my site uses? I use Magento, if that's any help.

22-04-2014, 01:34 PM
Magento is open-source and runs on LAMP - which stands for Linux, Apache, MySQL, PHP. So, it's very likely that OpenSSL is in use there and will need to be patched. Assuming you aren't running your own server at home, I'd ask your hosting company about it.

22-04-2014, 05:26 PM
I think I may just change the PayPal password.