The so-called “heartbleed bug” in OpenSSL, unveiled a couple of days before, thrilled the entire Internet community. Speaking with the words of my mates @tabsl: “There has been nothing more terrible as this in the entire history of the Internet” and @[D³]tdartsch: “As a matter of fact, the entire field of secure Internet communications lies in ruins.”
Especially online merchants – no matter which shopping cart system is used – are hit hard: the heartbleed bug is a serious vulnerability that allows the theft of data that actually ought to be secured by using SSL/TSL encryption during the registration/checkout process in an online shop. Even worse: nobody knows if exploits have already happened to a website, because it is not even traceable… Fixing this issue is of the utmost importance, as a shop owner is responsible for the data stored in his database towards his clients!
Alright, lets all find a moment for a collective sigh of affirmative relief, if you run an online shop or have clients to run it, and shall we see what you can do actively:
- Please make sure that OpenSSL is up to date on your servers. If you have shell access, you can check it with $ openssl version -a. If you find the built on date past April 7th 2014, you should be safe.
- A new SSL certificate has to be issued and installed on the server. We talked to our hosting partners: all of them already run #1 and are in touch with their clients in order to exchange the certificates.
- Change your own credentials for accessing the admin panel of your system. Secure this admin panel with an .htaccess file (directory protection) and change these passwords.
- Force your clients to change their login in details and so forth, immediately. Tell them clearly about this bug and that you can’t guarantee for any misuse of their personal data if they don’t do it. Send an extra newsletter about this topic, maybe use a voucher with some percent to entice them.
Alright. You’re aware for this topic – act now! Good luck to all of you brave online merchants!
Let us know if there’s anything else to do from your perspective as a comment to this blog post.