Heartbleed and security issues

[Geco]

Hi all,
searching for information on Hearthbleed security issue on internet sites, I've found these.

https://www.ssllabs.com/ssltest/anal...e.kobobooks.it

https://www.ssllabs.com/ssltest/anal...s=23.52.43.249

Not very nice news! Is someone at Kobo going to update _our_ security for _our_ data?


Thank you all,

Marco

[murg]

Both links show that the Kobo.com and Kobobooks.it sites are not vulnerable to the Heartbleed issues.

[Geco]

You're right murg, but they also show a low level of security, regardless the Heartbleed itself.
Compare it with, say, https://rubygems.org that is anyway a 'free' site, we have a class 'F' security of Kobo against a class 'C' security of rubygems.

[DNSB]

Quote:

Originally Posted by Geco

You're right murg, but they also show a low level of security, regardless the Heartbleed itself.
Compare it with, say, https://rubygems.org that is anyway a 'free' site, we have a class 'F' security of Kobo against a class 'C' security of rubygems.

The major reason for the markdown seems to be due to allowing the use of insecure renegotiation opening the way for man in the middle attacks. Another reason for avoiding public networks for secure transactions. It would be better for Kobo to configure their servers in strict mode but there is a good chance of having issues with some systems.

I did find your worrying about Heartbleed on the Kobo site as a bit odd in light of the final portion of the report -- as far as I know, no version of Microsoft's IIS uses the OpenSSL code and so would not be vulnerable to the Heartbleed bug.

Regards,
David