Heartbleed and What to do Against it When Running an Online Shop

heartbleed

The so-called “heartbleed bug” in OpenSSL, unveiled a couple of days before, thrilled the entire Internet community. Speaking with the words of my mates @tabsl: “There has been nothing more terrible as this in the entire history of the Internet” and @[D³]tdartsch: “As a matter of fact, the entire field of secure Internet communications lies in ruins.”

Especially online merchants – no matter which shopping cart system is used – are hit hard: the heartbleed bug is a serious vulnerability that allows the theft of data that actually ought to be secured by using SSL/TSL encryption during the registration/checkout process in an online shop. Even worse: nobody knows if exploits have already happened to a website, because it is not even traceable… Fixing this issue is of the utmost importance, as a shop owner is responsible for the data stored in his database towards his clients!

 
 

Alright, lets all find a moment for a collective sigh of affirmative relief, if you run an online shop or have clients to run it, and shall we see what you can do actively:

  1. Please make sure that OpenSSL is up to date on your servers. If you have shell access, you can check it with $ openssl version -a. If you find the built on date past April 7th 2014, you should be safe.
  2. A new SSL certificate has to be issued and installed on the server. We talked to our hosting partners: all of them already run #1 and are in touch with their clients in order to exchange the certificates.
  3. Change your own credentials for accessing the admin panel of your system. Secure this admin panel with an .htaccess file (directory protection) and change these passwords.
  4. Force your clients to change their login in details and so forth, immediately. Tell them clearly about this bug and that you can’t guarantee for any misuse of their personal data if they don’t do it. Send an extra newsletter about this topic, maybe use a voucher with some percent to entice them.

Alright. You’re aware for this topic – act now! Good luck to all of you brave online merchants!

Let us know if there’s anything else to do from your perspective as a comment to this blog post.

5 Antworten
  1. Danny Althoff says:

    Point one isn’t valid, because that hearthbleed-bug is only existing in „newer“ versions of openssl, older 0.9.8 or 1.0.0 versions are not affected, because they didnt implement TLS 1.1 / TLS 1.2 (which is also noted on that special website).
    There is a lot of panic, because often the news just says „openssl has that bug“, and non-admins are freaking out, because they dont give the needed attention to that tiny version-number-thing, so i think its worth to mention it here (to not push that confusion any further).

    Antworten
    • Marco Steinhaeuser says:

      You’re right, Danny – versions without TLS are not affected. Anyways, it seems to be better to have the latest version installed.

      Antworten

Trackbacks & Pingbacks

  1. […] wurde ein Beitrag veröffentlicht, der den korrekten Umgang mit dem Heartbleed-Bug beschreibt (Heartbleed and What to do Against it When Running an Online Shop). Außerdem haben Joscha Krug und Dr. Roman Zenner die Arbeiten am Manuskript für die Neuauflage […]

  2. […] wurde ein Beitrag veröffentlicht, der den korrekten Umgang mit dem Heartbleed-Bug beschreibt (Heartbleed and What to do Against it When Running an Online Shop). Außerdem haben Joscha Krug und Dr. Roman Zenner die Arbeiten am Manuskript für die Neuauflage […]

  3. […] wurde ein Beitrag veröffentlicht, der den korrekten Umgang mit dem Heartbleed-Bug beschreibt (Heartbleed and What to do Against it When Running an Online Shop). Außerdem haben Joscha Krug und Dr. Roman Zenner die Arbeiten am Manuskript für die Neuauflage […]

Hinterlassen Sie einen Kommentar

Wollen Sie an der Diskussion teilnehmen?
Feel free to contribute!

Schreiben Sie einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.