State of avast portal SSL renewal concerning Hearybleed

[Joey van Hummel]

Hi there.

Avast's servers were (are?) vulnerable to Heartbleed.
https://gist.github.com/dberkholz/10169691
https://lastpass.com/heartbleed/?h=avast.com

It seems to be fixed now, but the last time your SSL certificates were updated is 3 months ago.

Seeing how you guys provide IT security, it is weird to see you still haven't replaced this now untrustable certificate.

Furthermore, I also think it's weird that this forum, specifically registration and login are not standard in HTTPS.
Actually, going to HTTPS even breaks the site AND warns of mixed content.

Can we get a statement on this? Maybe the reports are just wrong? As an IT security company, this can't be how you intend to deal with this vulnerability.

With kind regards,

Joey van HUmmel

[polonus]

Well theoretically speaking one is not allowed to test websites for the Heartbleed bug. Read: http://bgr.com/2014/04/11/hearbleed-online-security-checks   link article author = Chris Smith

avast! isn't an IT security company it is an av vendor. For comments if you get any, that is up to avast! team members.

polonus

P.S.

Last year it was reported that the NSA paid security firm RSA $10 million to intentionally weaken an encryption algorithm and had circumvented or cracked other encryption schemes.

See for quote: http://www.forbes.com/sites/larrymagid/2014/04/11/report-nsa-knew-about-and-exploited-heartbleed-for-years/  link article author = Larry Magid, Contributor

D