Thursday, April 17, 2014

Heartbleed: What You Do and Do Not Need To Worry About

what to worry about heartbleed

If you have a business website, you’ve probably already heard, and are worried, about the Heartbleed Bug.


Simply put, the Heartbleed Bug is a flaw in the SSL certificate used by some websites. That flaw might allow passwords, credit card numbers and other data to be leaked as a result.


SSL certificates are usually limited to websites that deal with online financial transactions. Websites that use it can be distinguished because they include an “https” instead of “http” in their URL. A lock can also often be seen in the search window in front of the URL while visiting the site.


Mashable recently published a hit list of some big sites and services affected. These include:


  • Facebook

  • Pinterest

  • Tumblr

  • Google

  • Yahoo

  • Gmail

  • Yahoo Mail

  • Amazon Web Services

  • Etsy

  • GoDaddy

  • Flickr

  • YouTube

There has already been a Chrome extension (and probably other tools out there) claiming to help determine whether your site is affected. Of course, it’s important to be careful when using such tools and perhaps make some tests to be sure they are reliable. For example, you might test them to see whether you get any false positives.


Since only “https” sites can potentially be affected for example, test to see whether you get positive reads off “http” sites, too. If so, the tool your using might not be trustworthy.


Dominic Lachowicz, Vice President of Engineering at Merchant Warehouse, also cautions that not all SSL certificates are flawed. Merchant Warehouse provides electronic sales tools for mobile, ecommerce and storefront sales, but Lachowicz says the company was not affected by the bug.


Lachowicz spoke with Small Business Trends recently about some of the issues of most concern with Heartbleed. He acknowledged:


“This is indeed a serious problem on the Web. The first thing I’d like to advise everyone is to not panic.”



He says the first step is to determine whether your site has been affected. If you maintain your own site, Lachowicz recommends testing it for the bug using a tool built by encryption consultant Filippo Valsorda.


If your site has been affected, you will need to reinstall your site’s SSL certificate. For example, Lachowicz writes in a recent post on the official Merchant Warehouse Blog that a new fixed version of OpenSSL has already been released.


If you don’t manage your own website, Lachowicz recommends reaching out immediately to your Web development team or online provider. They will be able to tell you whether they have been affected.


If they have, chances are a fix has already been installed, in which case you will simply need to change any passwords associated with the site. That should be enough to protect against any future exposure.


Concerned Photo via Shutterstock


The post Heartbleed: What You Do and Do Not Need To Worry About appeared first on Small Business Trends.




Source: Small Business Trends



Heartbleed: What You Do and Do Not Need To Worry About

No comments:

Post a Comment