“A little knowledge is a dangerous thing.” When Heartbleed first was all over online news, I had a grasp of the significance of SSL and what the gap meant. A couple of articles referenced the Qualys SSL Labs server analysis website where one could type in a domain name and find out whether or not a particular business’s server or servers were vulnerable to Heartbleed exploitation.
I used the site to look at the businesses with whom I routinely make credit card transactions, including online flight, hotel, and car rental reservations. While all of them got a green light OK on Heartbleed, I was shocked to see overal grades ranging from A- to F.
I looked at the information returned about protocol support, key exchange, cipher strength, and PSF. (Following the links for “more information” led me to your bloggers and this site.) I am in over my head here; ultimately, the only conclusion I could draw was that very few servers of very few businesses are reliably safe from being hacked. I have assumed that it is not really prudent to entrust personal information and credit card numbers to such servers, whether by setting up an account, using online credit card transactions, or calling in by phone and having that information put in centrally by a clerk.
If I am correct, I am pretty much paralyzed trying to transact a lot of business. For example, it is impossible to make a hotel reservation without using a valid credit card.
I am asking for guidance here. Are my conclusions about the safety of servers as evidenced by the analysis on the Qualys site correct? And, if so, are my concerns about my own vulnerability valid?
I would appreciate any help here.
Thank you for your attention.