Testing Malaysia's Popular Websites for Heartbleed

Serious Bug in OpenSSL HeartBleed and Implications
April 8, 2014
How to get a SIRIM certificate when importing mobile phones
April 15, 2014
Show all

Testing Malaysia's Popular Websites for Heartbleed

After this weeks big security scare over the discovery of a 2 year old vulnerability in OpenSSL, we’ve decided to test some of Malaysia’s most popular websites and see if any are vulnerable.

We will be using http://filippo.io/Heartbleed and SSLLabs’ SSL test to check these sites.

members.lelong.com.my – Not vulnerable, support insecure protocols and cipher suites
www2.mudah.my – Not vulnerable, but uses insecure protocols and cipher suites. PFS is supported on some browsers. This only applies if you’re a ProNiaga user though.
forum.Lowyat.net – Not vulnerable, supports PFS on some browsers.
Lazada.com.my – Not vulnerable, supports PFS on some browsers.
Google.com.my – Not vulnerable, supports PFS on some browsers.
malaysia.Yahoo.com -Not vulnerable, support PFS on some browsers.
LivingSocial.com – Not vulnerable
Groupon.my – Not vulnerable
secure.Rakuten.com.my – Not vulnerable
Member.AirAsia.com – Not vulnerable
Maybank2u.com.my – Not vulnerable
CIMBClicks.com.my – Not vulnerable
HSBC.com.my – Not vulnerable
BankIslam.biz – Not vulnerable
ibank.StandardChartered.com.my – Not vulnerable
AllianceOnline.com.my – Not vulnerable
www2.pbebank.com (Public Bank) – Not vulnerable
s.HongLeongconnect.my – Not vulnerable
AmBanksc.com – Not vulnerable. Uses PFS on some browsers.
rib.Affinonline.com – Not vulnerable
internet.OCBC.com.my – Not vulnerable

All tested sites were found to be clean of Heartbleed. Of course, you really should change your password on all websites anyway. Especially now that the Heartbleed bug has been fixed.

It seems that Perfect Forward Secrecy (PFS) isn’t that popular in Malaysia, with only a handful of websites supporting it. Seeing as PFS prevents retroactive decryption of data (Meaning even if the key is stolen, old data that was previously transmitted cannot be decrypted), this is something we should be pushing for to mitigate any further vulnerabilities.




Leave a Reply

Your email address will not be published. Required fields are marked *