No, Commonwealth Bank is not running OpenSSL

By on

tumblr_n3tknqSXl91qzprlbo1_1280 Everyone is freaking out about Heartbleed – that massive security bug that may have comprised people’s passwords, usernames and other encrypted information. And rightly so.

Many people are now asking companies if they used OpenSSL and if they used the versions that contained the bug. But when the Commonwealth Bank tried to explain whether or not they were running OpenSSL, it made things even worse.

That was largely because a blog post they posted up last week confused many people because it was very vague. They told people that they were “patched against” the bug and that you didn’t need to change your password, before adding how their security teams “stay abreast of the latest security technologies, trends and updates”.

To use the words of Luke Hopewell from Gizmodo Australia, “the Commonwealth Bank seems keen on ushering people along from the scene of an accident like there’s nothing to see.” Yeah, don’t do that, Commonwealth Bank. Especially when your customers are freaking out.

So, did you need to worry about it? No. Based on the fact that all of Netbank pages are ASPX pages, it appears to be running on a Windows Server with IIS. In layman’s terms, it means that it is highly unlikely to be using OpenSSL.

Commonwealth Bank has since confirmed that it wasn’t using OpenSSL. In an update to the blog post (after the online backlash against it), Drew Unsworth wrote, “NetBank does not (and did not) use OpenSSL.”

“We have multiple layers of security in place to protect our customer sites and servicesOur security teams constantly monitor and stay abreast of the latest security vulnerabilities and are quick to take any action required to protect our customers,” he continued.

In summary, Commonwealth Bank does not use OpenSSL, so you can all breathe a sigh of relief. That said, I would go ahead and change that password – just in case.

Join the Conversation

  • Get best vpn providers from vpn review site fipe | https://www.fipe.net/ |

  • Nahla Mohamed

    you can get the best SSL vpn provider from waselpro vpn service , check this

    http://www.bestvpnfor.net/ssl-vpn/#sthash.0lSFEC91.dpbs

  • BrettyDaren

    Giant technology websites like Facebook and Tumblr have applied the necessary patches but mobile devices (smartphones) still remain unsafe. Android and iOS users can secure online privacy and internet freedom (until the patches/upgrades come out) by using VPNs to tunnel and encrypt their data. Source: http://www.vpnranks.com/what-is-heartbleed-how-to-protect-yourself/

  • innomatics

    Simply because they use ASP on IIS doesn’t mean that Windows is also doing the SSL. Large enterprises will often have their IIS servers behind dedicated load balancer or reverse proxy servers (possibly linux/OSS) which can do SSL offloading before traffic reaches IIS.