Everyone is freaking out about Heartbleed – that massive security bug that may have comprised people’s passwords, usernames and other encrypted information. And rightly so.
Many people are now asking companies if they used OpenSSL and if they used the versions that contained the bug. But when the Commonwealth Bank tried to explain whether or not they were running OpenSSL, it made things even worse.
That was largely because a blog post they posted up last week confused many people because it was very vague. They told people that they were “patched against” the bug and that you didn’t need to change your password, before adding how their security teams “stay abreast of the latest security technologies, trends and updates”.
To use the words of Luke Hopewell from Gizmodo Australia, “the Commonwealth Bank seems keen on ushering people along from the scene of an accident like there’s nothing to see.” Yeah, don’t do that, Commonwealth Bank. Especially when your customers are freaking out.
So, did you need to worry about it? No. Based on the fact that all of Netbank pages are ASPX pages, it appears to be running on a Windows Server with IIS. In layman’s terms, it means that it is highly unlikely to be using OpenSSL.
Commonwealth Bank has since confirmed that it wasn’t using OpenSSL. In an update to the blog post (after the online backlash against it), Drew Unsworth wrote, “NetBank does not (and did not) use OpenSSL.”
“We have multiple layers of security in place to protect our customer sites and services. Our security teams constantly monitor and stay abreast of the latest security vulnerabilities and are quick to take any action required to protect our customers,” he continued.
In summary, Commonwealth Bank does not use OpenSSL, so you can all breathe a sigh of relief. That said, I would go ahead and change that password – just in case.