Keeping your Website safe from the Heartbleed bug
By now most people have heard about the Heartbleed bug as there have been plenty of “scare” news stories out there. However while those stories have covered some of the basics and inspired a lot of fear in people, they often failed to be very informative.
So what do you, as a business owner, need to know about this bug and how will it affect your business and your customers?
The Heartbleed Basics
The problem with the bug occurs in systems that use OpenSSL, which is an encryption library. It is one of the programs used to create secure web connections and as many as two-thirds of the internet use it. The use of encryption software, like OpenSSL, results in that “padlock” icon in the browser when you are doing things like e-commerce or banking and basically helps protect when your browser talks to those websites. The idea behind SSL is to make things secure so nobody can listen in on the information that is being sent.
The name of the bug is related to a program feature called “heartbeat” that was added about two years ago to OpenSSL that contains the flaw. Obviously this means the problem has been out there for a while and thus why there is a concern that information ‘could’ have been compromised. However it is an isolated programming bug found only in certain versions and is not a design flaw in the underlying SSL so it can be fixed with a software patch or upgrade.
Of course if your organization doesn’t use OpenSSL then you do not have a problem.
Why Does It Matter?
Obviously you don’t want to have customers avoid your site because of concerns over data loss. In this case, the types of data that can be disclosed to attackers are usernames and passwords which can completely undermine site security and result in large data breaches. So if you are the owner of a website that uses e-commerce or has other secure data then you will need to address the Heartbleed problem.
What Should I Do?
Here are the steps everyone should take to make sure that their website is safe:
- Check to see if your company is using OpenSSL. Ideally your IT staff, or an IT Contractor that you use, should be able to provide this information. You can also go to this website – https://filippo.io/Heartbleed/ to test a website.
- If you are using OpenSSL and you identify which systems are affected you need to upgrade to a version that is not that is not vulnerable. After installing the upgrade make sure to restart those services to activate them.
- Next, revoke the old SSL certificates, create new encryption keys and obtain new SSL certificates. While some people might think this to be an excessive step, it is a smart move to make considering that the problem has been out there for approximately two years. Additionally it can be difficult, if not impossible, to determine if a certificate and keys have been compromised to this step ensures protection.
- Now that your site is repaired and protected it would wise to notify your users with a recommendation that they change their passwords.
- For businesses that use an IT provider for things such as cloud services, you should contact them to see if their services were impacted. If they are fixed make sure to change your passwords.
On a personal basis, there are a few large sites, such as Google and Yahoo, which have admitted to problems with Heartbleed. You can use the link above to check on them. However make sure any sites with problems have fixed their problems prior to changing a password because otherwise you are just disclosing another password.
The Bottom Line
Internet security is always a sensitive topic. When people first started to use the internet for business transactions the biggest concern was the possible loss of data. With recent breaches on a large scale by hackers attacking retailers the importance of data security is certainly a hot button topic once again. To that end make sure that your business information, as well as your customers information, is protected and safe.