Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - PayPal Giving Nonsense Answers about OpenSSL/Heartbleed Vulnerability

Jammerwoch writes: In the process of verifying that my critical accounts had patched their OpenSSL implementation and re-issued their SSL certificate before changing my password, I noticed that PayPal had not addressed issue: not on their blog, in their support pages, or anywhere on my account page. I also noticed that their SSL certificate was issued in February of 2014, before the vulnerability was discovered. So I contacted support to ask if they had addressed the vulnerability. The first response I got was this:

"Your PayPal account details were not exposed at any time in the past and remain secure. You do not need to take any additional action to safeguard your information."

Undaunted, I replied, asking specifically if they were (or had ever) used one of the vulnerable versions of OpenSSL (1.0.1 through 1.0.1f). The response I received was amusing, to say the least:

"I assure you that your password is not compromised. We do not use an Open SSL in our servers. The SSL certificate that we are using is hyper encrypted and beyond the versions of the usual SSL certificate. It is not affected by the ongoing HeartBleed issue."

Well! Now I'm completely reassured, knowign that they don't use "the Open SSL", and that their certificate is "hyper encrypted".

Unimpressed.
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

PayPal Giving Nonsense Answers about OpenSSL/Heartbleed Vulnerability

Comments Filter:

egrep patterns are full regular expressions; it uses a fast deterministic algorithm that sometimes needs exponential space. -- unix manuals

Working...