I was eating at a restaurant yesterday and attempted to pay with my debit card. I knew there was money in there, but the card came back as declined: invalid account number. What? So I called the card issuer – they had deactivated my debit card due to the open SSL security breach called the Heart Bleed Bug that has been in the news the past couple of days. They told me I was being sent a new card – that’s fine, but is the problem fixed and what does that mean to you as a website owner selling products on the Internet (or buying products on the Internet)?
First, let me assure WebStores Ltd customers that your sites are not affected. Anyone using the WebStores software is on a Windows IIS server which does not use openSSL. Any WebStores customers who are on the WordPress platform are on a shared Linux server and those have all been patched. You and your customers are safe.
What if you are shopping or doing online banking of any kind? As of this posting, here is what is known:
- Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox. All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren’t issuing the advice directly, as is the case with Google.
- Sites that don’t use the OpenSSL software and are not affected by the flaw include PayPal, Microsoft accounts, Twitter, Amazon, eBay, and the IRS.
The reality is that the Heart Bleed Bug has been around for about 2 years. Only in the past few days has it become newsworthy.If you are concerned about a site that you wish to conduct business on, you can test it for a Heart Bleed vulnerability first by visiting: http://filippo.io/Heartbleed.
- Change your passwords regularly.
- Do it now for Google and Facebook.
- Use strong passwords that include both upper and lower case letters, numbers, and punctuation. For example, make your password be a short sentence.
If you can’t remember all of your online passwords, use a password management tool. A good one is KeePass Password Safe which can be found at: http://keepass.info/. This tool is free. It stores all of your passwords on your computer (not in the cloud), so only you have access to them, and you must remember a “Master Password” to see all of the other passwords you have stored.