What is being called the worst security threats in the history of the internet to date, the Heartbleed bug has the ability to cause widespread problems for sites / servers that use openSSL–that’s an estimated 66% of the internet. If you don’t know what openSSL is (it’s tech talk) and aren’t really concerned about it, you should be rethink your actions. Chances are you come in contact with openSSL several times a day without ever knowing it.
The Heartbleed bug is a security encryption flaw that could allow cyber criminals to snap up credit card information or steal passwords. If you (or your customers) have logged into any affected sites over the past two years, their account information could be compromised. Not only are you urged to change your own personal account information (Mashable has put together a a great page where one can get the most up-to-date sites that are affected.)
Detecting It
In addition to protecting your own information, as ecommerce store owners / operators, you should check to make sure the server you are on is not affected by the issue. I’m sure there are a number of ways to do this, but fortunately I received an email yesterday from GeoTrust with a link to their SSL Toolbox. This toolbox will let you either enter your CSR file for checking or enter your domain name for checking your server for vulnerability.
They also included a helpful checklist for diagnosing and correcting the issue if you are affected (sourced directly from the email). I’ll pass that list on below.
Fixing It
Steps to Success:
- Identify if your web servers are vulnerable (running OpenSSL versions 1.0.1 through 1.0.1f with heartbeat extension enabled). Use our SSL Toolbox to detect this. If you’re running a version of OpenSSL prior to 1.0.1, no further action is required.
- If your server is impacted, update to the latest patched version of OpenSSL (1.0.1g), or recompile OpenSSL without the heartbeat extension.
- Generate a new Certificate Signing Request (CSR).
- Reissue any SSL certificates for affected web servers using the new CSR (do this after moving to a patched version of OpenSSL).
- Install the new SSL certificate and test your installation.
- After the new certificate is successfully installed, revoke any certificates that were replaced.
- Website administrators should also consider resetting end-user passwords that may have been visible in a compromised server memory.
- Always refer back to the Knowledge Base for more information.
If you have additional questions, please contact your SSL Reseller for further support and more information.
If you have any further resources or up-to-date information on the Heartbleed bug please let me know by commenting below.