NRA: New Membership Portal

[meles meles]

Someone needs to go tug Mr Mercer's strings...

[Sim G]

Every time I'm about to rejoin the NRA, something comes along that casts more doubts for me....

[ovenpaa]

All seems quite straight forward to me however I do note I cannot enter my NRA membership number which is the first field of the first page of members details. Am I missing something?

[StanDeasy]

The new website does not appear to be vulnerable to the Heartbleed bug

- At least according to the test site: https://filippo.io/Heartbleed/

[Demonic69]

Yeah that was only in SSL1.0, still so many vulnerabilities in TLS1.0 though and it's not hard to upgrade to 1.1 or 1.2.
The problem is David is that your personal information is going to yet another 3rd party, this time one that makes money and imposes it's own Ts&Cs. If someone gets hold of it it's no hard to extrapolate that a paid member of the NRA just might own firearms.
It's not really a massive deal, I just expected a bit more caution from the likes of the NRA, but I work in several very security conscious environments so am always a bit wary about the availability of private data.

[meles meles]

Sheeple are amazingly lax with data security these days...

[nfrancis]

The new website does not appear to be vulnerable to the Heartbleed bug

- At least according to the test site: https://filippo.io/Heartbleed/

Probably because they are running on Microsoft software

[nfrancis]

Yeah that was only in SSL1.0, still so many vulnerabilities in TLS1.0 though and it's not hard to upgrade to 1.1 or 1.2.

Not hard?? - Hmm - read RFC1925 section 4

SSL is a protocol. Heartbleed only affected a few specific versions of the OpenSSL software which implements the SSL/TLS protocol - 1.01 to 1.01f. OpenSSL is mainly used in unix style machines. Azolve services are probably running Microsoft stacks.

TLS v1.0 (the protocol) is SSL v3. TLS 1.1 and 1.2 just enhance this. You have to be careful of automated scanning tools and exactly what they are telling you and testing for. Its highly likely the systems Azolve are running are patched accordingly - it may be reporting TLS1.0 but it will be a patched version of TLS 1.0. Sites continue to run TLS 1.0 (the protocol) for compatibility reasons.

[karen]

Can't say I'm impressed with it - why not wait till the non-working bits are sorted before going live with it?

And how come they reckon they know what time I was born? Which was wrong obviously - an odd auto fill in which I am sure there is a reason for but just looks scrappy wtfwtf .

Just makes the NRA look unprofessional I'm afraid

Love

Karen

[StanDeasy]

Absolutely. Either the data was not migrated properly or the original data was riddled with errors.