Heartbleed bug and Fractal SSL

solo-act

solo-act

Fractal Fanatic
Is Fractal store part of the estimated 66% SSL sites that need to update to close the heartbleed vulnerability?

I went to buy cab lab and cab pack4, looked up, saw https:// at the URL and decided to bail out of purchase.

Might be a good idea for FA to inform users of heartbleed status given other sites are doing so (sound cloud) and given FA announced yesterday that cabpack4 is ready for purchase/download.
 
A good list can be found here: The Heartbleed Hit List: The Passwords You Need to Change Right Now

Those of us in the security industry advise that everyone change their passwords because users do not know which websites or services they are using which also use OpenSSL.

To be on the safe side, change your password anyways.



This is another great time to point out the importance of changing your passwords as a part of a normal personal online security policy.

A stolen password is only useful so long as it doesn’t change.

We suggest:

- Make sure your personal email password is different from every other password

- Change all passwords every 3 months.
 
Regardless of whether your site passes this test, you should change all your online passwords anyway as it might not have ALWAYS been protected. This vulnerability has been around for a long time, and you can bet some enterprising @sshole has used it to good measure before they fixed it.

FYI.
 
Changing your password on, or even logging into, a vulnerable site is probably the worst thing you could do right now. The vulnerability has existed for 2 years, but was almost certainly unknown prior to last week. If a site is vulnerable, your best course of action is probably to stay away from it until it is fixed. Then, and only then, log in and change your password.
 
Malvolio said:
Changing your password on, or even logging into, a vulnerable site is probably the worst thing you could do right now. The vulnerability has existed for 2 years, but was almost certainly unknown prior to last week. If a site is vulnerable, your best course of action is probably to stay away from it until it is fixed. Then, and only then, log in and change your password.
Click to expand...

My point was change your password only IF the site has passed the test.
 
OpenSSL FUD

If you were to connect to the shop.fractalaudio.com website, and determined what type and version of web server it's running, it would answer lots of questions and remote all the FUD.
Lots of websites tell you how to do this and it's not hacking nor in anyway illegal. It would be the same as reading the manufacture and model on the back of a car.
If you request it, the web server actually tells you the type and version of the web server. Easy..
review to learn how it's done.
Apache Tips & Tricks: Discover the web server software and version of a remote server - MDLog:/sysadmin

shop.fractalaudio.com says that it's a Microsoft-IIS/6.0 server. Microsoft software does not use the OpenSSL application, so there should be no worry about using their site.
Also, it may be way easier if you give them a call and ask, or send an email to tech support requesting information about the store.FAS configuration.

John
 
You must log in or register to reply here.
Back
Top Bottom