There’s been a lot of press the past few days about the Heartbleed bug. Some have called it the worst breach of security in internet history. Exaggeration? Perhaps. Perhaps not. But if your run an ecommerce shop your customers may have questions regarding their security and it’s best to have answers prepared in advance. So let’s take a look at the facts and determine what the Heartbleed bug actually does and how it impacts you or your business.
To understand the bug you have to understand a little bit about SSL. SSL stands for Secure Socket Layer and it’s a protocol supposed to provide a private, encrypted communication between your computer and the server you are communicating with. When SSL is enabled you normally see the closed padlock icon next to your address bar in your browser. Just about every financial transaction today uses SSL, as well as most sites that handle sensitive personal information.
How does it work?
The SSL protocol relies on several pre-programmed libraries as part of its source code and the most commonly used open source library is called OpenSSL. The so called Heartbleed bug is found within the OpenSSL library, in versions 1.0.1 and 1.0.2. The bug is really just a programming error which allows third parties to access 64k chunks of information on a server which uses OpenSSL. By accessing these chunks of information, a hacker could capture data from the communications between the computer and the server. What type of data?
The type of data compromised by the Heartbleed bug has been categorized into four areas:
- Primary key material = encryption keys for SSL transactions (public and private)
- Secondary key material = user names & passwords
- Protected Content = the actual data passed between server and user which was supposed to be encrypted
- Collateral = technical content such as memory addresses and security measures.
Who does it affect?
Clearly, there is the possibility that connections which you thought were secure, were in fact not. And an enterprising (and persistent) hacker could have downloaded several 64k chunks of data and perhaps captured user names and passwords for the accounts being accessed.
However, the bug was introduced into the software library on March 2012, yet to date there hasn’t been a big indication that the flaw was found by hackers. Granted, system administrators would not have detected any sort of breach, but if the problem was widespread, we would have heard from consumers. Perhaps the flaw was never discovered.
Potentially it could affect anyone who has used SSL in the past. Since SSL is used in ecommerce, email and financial transactions, just about anyone would have been exposed at some point.
What can you do to protect yourself?
First of all, OpenSSL has released a patch, so it’s only a matter of time until the flaw is removed from most if not all servers. But the patch has to be deployed by the server administrators and not by end users.
As such, there is nothing you can do until you are notified by a specific website that your information was at risk. Remember, not all servers were affected; only servers using the specific versions of OpenSSL, thus you may in fact not be affected. Service providers will probably contact you AFTER the patch has been implemented on their servers and will request that you change your password at that time.
According to Open SSL, changing passwords before the Open SSL fix has been implemented will not really protect you since the vulnerability will still exist on the server. Still, it can’t hurt to change your passwords right away. Yes, you will have to change them later, if you are notified, but by changing passwords now, whatever information a hacker may have already captured, will instantly become obsolete. He’ll have to access the server again and hope to find you online to capture the new password; a very long shot.
If your ecommerce site uses SSL you may want to contact your SSL provider and ask them if your site was ever at risk. If not, you have a great answer for your customers. If they admit to having been at risk but have already implemented the OpenSSL patch, then all you have to do is ask your customers to change their passwords. The last possibility is that your SSL provider is affected yet has not implemented the OpenSSL patch. In that case you would need to request a date by which time the patch is scheduled to be implemented and request password changes from your customers after that date.
The Heartbleed bug has generated quite a bit of publicity, which is bound to generate customer questions. The best response is to pro-actively understand how the flaw and determine if it affects you or your customers. By performing your research in advance you will look that much more professional if and when a query comes your way.
- An update on Heartbleed Bug and ShoreTel Platforms (shoretel.com)
- Massive Bug in OpenSSL Puts Much of Internet At Risk (makeuseof.com)
- Yahoo Among Millions of Websites Vulnerable to ‘Heartbleed’ OpenSSL Security Bug (ibtimes.co.uk)
Trackback from your site.