Reply to: Heartbleed bug

Didn't mean to alarm you!

Basically SSL is a way of securely encrypting personal data. So, as a rule of thumb, you should never enter credit card details on a site which isn't running SSL (as pg politely pointed out, in 99% of cases you see the https and padlock logo in the address bar.)

In the ideal world, all personal details (names, addresses, passwords) would be encrypted.

In the case of your site (assuming it's the one you've posted links to in the past) you're capturing name and address details over a non-secure connection, so someone could potentially 'listen' to the traffic and steal those details. You're redirecting to worldpay to get your payment details, and they are running SSL, so your customers' card details are safe.

Some sites with logins (like CUK) don't use SSL either - I'm guessing that actual passwords aren't sent, but instead a hash of the password, which is compared to a stored hash in the database. Session ids are probably thrown into the mix too, so that the hash is a combination of password and sessionId and changes as sessions expire. In theory that makes it hackable - by listening to the network traffic I could steal the hash of your password and fake a login to your session, but I couldn't actually get hold of your password. To do serious damage, I guess we'd have to steal admin's account

You got me worried now. I have written a PHP shopping cart and had no idea what SSL was before all this news. Though I did check out the potential security issues and implement the suggested solutions, HTMLentities, limits on data length etc. so maybe I did indirectly.

I didn't say CUK was - just pointing out that it's not always quite as bleedin' obvious as you make out.

I can't see it:
Ssl is definitely disabled in Apache:
https://forums.contractoruk.com/

I think you've misunderstood. PG is more likely to be found collecting the shopping carts from the car park at Tescos.

If he's writing PHP shopping carts, he ought to at least have a basic knowledge of what SSL is.

So anyone who doesn't understand the intricacies of openSSL is idiot now? I wonder of he can do a 3 phase simulation of a complex fluid network on an oil and gas platform or emulator test an aircraft control system or even write a PHP shopping cart No? What a moron!

Like a sasguru in rudeness and abuse without any of the sense.

... unless it's running SSL in a frame ...

Message to all the incompetent parasite forum idiots: if you don't see https:// in the url, it means the connection is not encrypted, ergo it makes no difference which version of ssl/tls is installed on the server. Just keep on living in your la-la-land with your inbreds and stop asking questions way above your level.

Phew! I've got OpenSSL 0.9.8 on my machine (for Ultrafunk Popcorn) and it's only 1.0 that has the bug.

When do you plan to upgrade the systems ? You cannot run your systems on old vulnerable software.

That's no way to talk about hmrc.gov.uk

Sorry, spring has come early and am struggling with my garden. Much more fun than computers!

Here's your answer for this box.

root@tyrant:~# openssl version
OpenSSL 0.9.8k 25 Mar 2009

High five!

Ah, my fear of having to do work was dev nulled when I realised we are on 10.04 LTS and therefore running old openssl that didn't have the bug. Hooray! Still got a couple of new'ish CentOS boxes that need a kick but only cacky sites on them so they will wait