Heartbleed

[fez]

Hi,

Can you indicate whether fund manager uses OpenSSL, and if so, whether it has used the version affected by Heartbleed? I've stopped downloading transactions from my brokerage to fundmanager because I'm not sure about the security of the connection. Thanks for your help.

Regards,
Stephanie

[Mark]

Hi Stephanie,

Good question. No, Fund Manager does not use OpenSSL when doing any of the online transaction/position retrieval from your broker. Fund Manager uses a component of IE from Microsoft called wininet that handles this, and that does not use OpenSSL, and does not have the Heartbleed bug. However, this is only the Fund Manager end of the connection. It may be possible for your broker's OFX server to be using OpenSSL. You may want to check with whatever broker or mutual fund company you're retrieving from to have them clarify that their OFX server is not running with an affected version of OpenSSL. If they are using an affected version, not retrieving with Fund Manager is not going to help. An affected server can be compromised without you doing anything. So, you might as well continue retrieving, as just retrieving does not expose any of your information. If their server is affected, it can be compromised whether you retrieve or not. Hopefully they have fixed any affected servers.

On a related note, Fund Manager does use OpenSSL when sending email alerts to an SMTP server that uses SSL. The version of OpenSSL used by Fund Manager is 0.9.8g and was not affected by the Heartbleed bug.

Also, our online ordering system uses a secure HTTPS connection, and this server is running OpenSSL, but is also using 0.9.8g, so it is not (nor was it ever) affected by the Heartbleed bug.