Heartbleed exploit: check your bank's website before logging in!
I don't know if this has been posted in other areas, but I think it is important enough to post on the Personal Finance section as your financial logins could be at risk.
WHAT IS HEARTBLEED?
Think that https gives you a secure connection between you and the website? think again. Someone can get your login and password pretty easily and it isn't traceable. System admins tested their own servers and reported it was a breeze to get logins and passwords using this exploit. Heck, they even got a hold of the master keys that can let other people impersonate the secure website.
On a scale of 1 to 10 in terms of security risk, system admins are describing this as an 11.
Read more about heartbleed here
wpengine (my web hosting company) posted a useful tool regarding the heartbleed exploit. To test if the website that you are logging into is vulnerable, use the link below.
http://possible.lv/tools/hb/
I have tested the financial sites that I use and they all seem to pass the check. It doesn't mean that they didn't grab my password before the vulnerability was patched.
Here are the sites that I have tested so far. I went to their "login" page to get the IP.
PEOPLE'S TRUST: OK
[QUOTE]Looking for TLS extensions on https://www6.memberdirect.net
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]
TD CANADA TRUST EASYWEB: OK
[QUOTE]Looking for TLS extensions on https://easywebsoc.td.com
ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]
TANGERINE: OK
[QUOTE]Looking for TLS extensions on https://secure.tangerine.ca
ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]
Please post your findings on other financial institutions here.
UPDATE: It seems as if all banks patched up the exploit, but please keep posting for the sake of other RFD'ers, especially if one fails the check.
From other users:
PC Financial: OK
Canadian Direct Financial: OK
Paypal: OK
Desjardins:OK
Chase:OK
MBNA:OK
CIBC:OK
BMO:OK
Standard Life: OK
Sun Life: OK
Great-West Life: OK
CI Investments: OK
American Express: OK
Capital One: OK
Libro: OK
Scotiabank: OK
WHAT IS HEARTBLEED?
Think that https gives you a secure connection between you and the website? think again. Someone can get your login and password pretty easily and it isn't traceable. System admins tested their own servers and reported it was a breeze to get logins and passwords using this exploit. Heck, they even got a hold of the master keys that can let other people impersonate the secure website.
On a scale of 1 to 10 in terms of security risk, system admins are describing this as an 11.
Read more about heartbleed here
wpengine (my web hosting company) posted a useful tool regarding the heartbleed exploit. To test if the website that you are logging into is vulnerable, use the link below.
http://possible.lv/tools/hb/
I have tested the financial sites that I use and they all seem to pass the check. It doesn't mean that they didn't grab my password before the vulnerability was patched.
Here are the sites that I have tested so far. I went to their "login" page to get the IP.
PEOPLE'S TRUST: OK
[QUOTE]Looking for TLS extensions on https://www6.memberdirect.net
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]
TD CANADA TRUST EASYWEB: OK
[QUOTE]Looking for TLS extensions on https://easywebsoc.td.com
ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]
TANGERINE: OK
[QUOTE]Looking for TLS extensions on https://secure.tangerine.ca
ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]
Please post your findings on other financial institutions here.
UPDATE: It seems as if all banks patched up the exploit, but please keep posting for the sake of other RFD'ers, especially if one fails the check.
From other users:
PC Financial: OK
Canadian Direct Financial: OK
Paypal: OK
Desjardins:OK
Chase:OK
MBNA:OK
CIBC:OK
BMO:OK
Standard Life: OK
Sun Life: OK
Great-West Life: OK
CI Investments: OK
American Express: OK
Capital One: OK
Libro: OK
Scotiabank: OK