shaving sharp
Gold Member
- Joined
- Dec 19, 2007
- Messages
- 3,018
Has it been determined if Bladeforums has been protected from the Heartbleed virus? There is credit card info. That could be vulnerable to it.
-
The BladeForums.com 2024 Traditional Knife is ready to order! See this thread for details: https://www.bladeforums.com/threads/bladeforums-2024-traditional-knife.2003187/
Price is$300$250 ea (shipped within CONUS). If you live outside the US, I will contact you after your order for extra shipping charges.
Order here: https://www.bladeforums.com/help/2024-traditional/ - Order as many as you like, we have plenty.
Heartbleed virus
- Thread starter shaving sharp
- Start date
- Joined
- Nov 9, 2009
- Messages
- 44,314
Heartbleed isn't a virus, it's a OpenSSL vulnerability that has existed for a couple years and recently made public.
Here is one website that offers a website checker:
https://lastpass.com/heartbleed/
Unfortunately, there is no way to know when and/or if you were first made vulnerable. You will soon see antivirus programs offering a built in Heartbleed checker tool, or as a standalone piece of software.
ETA: As far as Bladeforums being protected, I don't think I'd worry much about that. You should be more concerned about the banks you use, Paypal, and possibly changing any passwords associated with financial institutions or retail places (anything with a https://). I may be wrong, but Bladeforums.com does not process credit card information directly, it's done via a bank of some sort. Same would apply to membership payments, etc.
Here is one website that offers a website checker:
https://lastpass.com/heartbleed/
Unfortunately, there is no way to know when and/or if you were first made vulnerable. You will soon see antivirus programs offering a built in Heartbleed checker tool, or as a standalone piece of software.
ETA: As far as Bladeforums being protected, I don't think I'd worry much about that. You should be more concerned about the banks you use, Paypal, and possibly changing any passwords associated with financial institutions or retail places (anything with a https://). I may be wrong, but Bladeforums.com does not process credit card information directly, it's done via a bank of some sort. Same would apply to membership payments, etc.
Last edited:
- Joined
- Oct 29, 2013
- Messages
- 763
VBulletin doesn't have any SSL that I am aware of, unless specific features that require security certificates are installed. A storfront would require a security certificate, but Bladeforums redirects sales through PayPal and Authorize.net. PayPal did not use Open SSL, so it was not affected.
It's not clear which security certificates Authorize.net uses. It's possible they use Open SSL, but it's not verifiable. Authorize.net was part of Cybersource Corporation, which was purchased by Visa.
According to Authorize.net's Facebook page, they are not vulnerable to Heartbleed. Visa released a statement saying:
It doesn't specifically address whether any of their platforms use Open SSL, or if they have ever scoured code from Open SSL, which leads me to believe that there are instances where their security uses something that is either directly or indirectly associated with Open SSL. Given the depth of their networks, it will take a team several weeks to be confident that their products aren't vulnerable to heartbleed related attacks, but I would assume that the basic testing and research they would have done initially is enough to say that the specific heartbleed vulnerability does not currently exist in their security certificates and encryption systems.
It's not clear which security certificates Authorize.net uses. It's possible they use Open SSL, but it's not verifiable. Authorize.net was part of Cybersource Corporation, which was purchased by Visa.
According to Authorize.net's Facebook page, they are not vulnerable to Heartbleed. Visa released a statement saying:
It doesn't specifically address whether any of their platforms use Open SSL, or if they have ever scoured code from Open SSL, which leads me to believe that there are instances where their security uses something that is either directly or indirectly associated with Open SSL. Given the depth of their networks, it will take a team several weeks to be confident that their products aren't vulnerable to heartbleed related attacks, but I would assume that the basic testing and research they would have done initially is enough to say that the specific heartbleed vulnerability does not currently exist in their security certificates and encryption systems.
- Joined
- Feb 3, 2004
- Messages
- 7,119
That is correct. But according to the Qualsys SSL Labs site, they are not using the latest SSL protocol (TLS 1.2). So their security grade is capped at a "B". You can access the Qualsys SSL Labs site at https://www.ssllabs.com/ssltest/.
- Joined
- Nov 9, 2009
- Messages
- 44,314
Many banks don't use the latest security technology either, you'd be surprised at just how far behind they are. It's trailing edge technology rather than cutting edge technology. The cost is more than they actually want to invest. How's that for weird.
- Joined
- Feb 3, 2004
- Messages
- 7,119
Funny you should mention that. I ran the Qualsys SSL test on the Life Insurance Company that handles our company's 403(b). Although they weren't vulnerable to Heartbleed, their grade came back "F" due to outdated protocols. I sent a copy of the report to someone I know there and he ran it up to their IT department. Within an hour or two, they had upgraded their protocols and their grade moved from an "F" to a "B".
- Joined
- Feb 3, 2004
- Messages
- 7,119
Thanks for posting that. It's very helpful.These sites are the ones you need to be concerned with:
