PDA

View Full Version : Heartbleed



Somersetmaker
22-04-2014, 12:35 PM
I was wondering how you are with this Heartbleed nasty that's around. Is your website updated to protect transactions or should we change passwords?

caroleallen
22-04-2014, 12:53 PM
I don't know anything about it Pru. I'd be interested to know what others think.

ps_bond
22-04-2014, 12:58 PM
It's a bug that has recently been unveiled in the OpenSSL (secure sockets layer) implementations used extremely widely for encrypted traffic. AFAICT it affects all Linux-based implementations - but I don't think any MS IIS installations are affected. Which makes me grumpy :)

http://en.wikipedia.org/wiki/Heartbleed

A bit of a bugger, all told. It's good practice to regularly change passwords anyway.

Somersetmaker
22-04-2014, 12:59 PM
As far as my non-techy brain understands it's a matter of whether sites using online trading software are using the particular (I believe common) software affected and whether the site has been patched against this Heartbleed pest. Hence the question. Beyond that I dunno nutin'!

But I spend lots of money here so it'd be good to know it's all OK.

((and hi Carole! :wave:)

Somersetmaker
22-04-2014, 01:00 PM
So has the Cooksons site been updated do you know Peter?

I understand you need to change passwords after a site has been made secure.

ps_bond
22-04-2014, 01:08 PM
It's not just trading sites - Wikipedia was using a flawed implementation.

Cooksons, despite my mocking (and now having to eat a little bit of humble pie) I believe use Microsoft IIS - which does not use OpenSSL at all. I'd wait for Rob to confirm that though (the IIS bit, I know IIS doesn't use OpenSSL).

dgrose
22-04-2014, 01:19 PM
Hi,
As Peter has said, we use IIS and this doesn't use OpenSSL. Cooksongold has recently had a PCI security scan run on it, which it has passed.
Regards
Dave

Somersetmaker
22-04-2014, 01:21 PM
Excellent! Many thanks Dave and Peter. :)

caroleallen
22-04-2014, 01:23 PM
How do I find out what my site uses? I use Magento, if that's any help.

ps_bond
22-04-2014, 01:34 PM
Magento is open-source and runs on LAMP - which stands for Linux, Apache, MySQL, PHP. So, it's very likely that OpenSSL is in use there and will need to be patched. Assuming you aren't running your own server at home, I'd ask your hosting company about it.

caroleallen
22-04-2014, 05:26 PM
I think I may just change the PayPal password.