Heartbleed bug and aerowinx.com

[Phil Bunch]

I've been casually testing some of the web sites I regularly frequent, especially banking and credit card sites I depend on.  Most of them now more or less pass the server tests developed by ssllabs.com, but some seem to fail.

https://www.ssllabs.com/ssltest/index.html

aerowinx.com couldn't be tested by ssllabs, and a message results "Assessment failed: Unable to connect to server".  

My ad-hoc theory is this happened because Hoppie set this site up in a way that is uniquely customized, and doesn't depend on the SSL protocol or its management.  Also, we don't sell things here and don't need to post credit card numbers, etc.

Does it matter or mean anything that aerowinx can't be tested by ssllabs?  Are we exposed to the "heartbleed" bug from this site?

-----------
I can't figure out if I should change my passwords at sites that are financially or personally sensitive - several of them don't test well at ssllabs, and some still haven't fixed the heartbleed bug.

[Jeroen Hoppenbrouwers]

a. Hoppie didn't do anything on this site whatsoever.  :-)

b. It is http://www.aerowinx.com, not https://www.aerowinx.com. This web site does not encrypt the traffic and does not provide identity information. In my personal opinion, it does not need to do this, either. Only web sites that have security issues, such as those that provide logins and access to sensitive information, really need SSL/TLS.

Now if people use the same password at Aerowinx that they use for their e-banking, they have set themselves up for more serious problems than SSL/TLS can possibly prevent...

A non-SSL/TLS (http, port 80) web site typically does not listen on the port (443) that is allocated for an SSL/TLS (https) web site, which is what causes the ssllabs error message; technically it is correct.

I would not change any password until the web site you want to change it for has explicitly notified its users that the heartbleed bug has been fixed. These web sites are especially vulnerable right now; everybody knows they are vulnerable and if they are being scanned, you don't want to feed them your new password! Wait until they have updated.


Hoppie


edit: replaced SSL by SSL/TLS

[Phil Bunch]

Re the https prefix - I use a paranoia-motivated Firefox extension that inserts "https" in front of any URL I use.  If the web site accepts it, then Firefox uses https instead of http at the site.  

With the Snowden's NSA revelations, and the heartbleed SSL bug, this add-in is even more pointless.  Even after the SSL bug fix, I suspect the better hackers and agencies can get around *anything* I might come up with to maintain personal privacy or internet security.  

Along these lines of thought - it's puzzling to me that the Internet hasn't collapsed like a house of cards, considering its many weaknesses and insecurities.  Yet our whole global economy is now mostly built around the Internet even though it isn't very secure.  Perhaps the pre-Internet infrastructure wasn't very secure either...after all, we merely sent paper mail in easy-to-open paper envelopes, without any encryption and didn't worry very much about loss of privacy, etc.  Perhaps a difference is that it was against the law (in the USA) to open/read private paper-based mail, but it isn't illegal or likely to be caught doing the same thing with internet traffic or email.  I gather that Europe is trying to implement various privacy laws re the Internet, but the USA seems uninterested.

[Will]

Maybe privacy has always been a charade, like Kabuki theater... the things we do to enjoy a common suspension of disbelief in the insecurities.

Funny you were thinking back to the paper days, Phil; just this morning I was envisioning banking in the days before electronic storage, where people's account balances were written in actual bound legers that were stored on shelves... It seems like a wonder that they were able to get things done.