Thread: Heartbleed and security issues
View Single Post
Old 04-11-2014, 02:25 PM   #4
DNSB
Bibliophagist
DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.DNSB ought to be getting tired of karma fortunes by now.
 
DNSB's Avatar
 
Posts: 35,434
Karma: 145525534
Join Date: Jul 2010
Location: Vancouver
Device: Kobo Sage, Forma, Clara HD, Lenovo M8 FHD, Paperwhite 4, Tolino epos
Quote:
Originally Posted by Geco View Post
You're right murg, but they also show a low level of security, regardless the Heartbleed itself.
Compare it with, say, https://rubygems.org that is anyway a 'free' site, we have a class 'F' security of Kobo against a class 'C' security of rubygems.
The major reason for the markdown seems to be due to allowing the use of insecure renegotiation opening the way for man in the middle attacks. Another reason for avoiding public networks for secure transactions. It would be better for Kobo to configure their servers in strict mode but there is a good chance of having issues with some systems.

I did find your worrying about Heartbleed on the Kobo site as a bit odd in light of the final portion of the report -- as far as I know, no version of Microsoft's IIS uses the OpenSSL code and so would not be vulnerable to the Heartbleed bug.

Regards,
David
DNSB is offline   Reply With Quote