The Heartbleed Bug And You

heartbleed openssl attack

What’s going on?

On Monday (April 7, 2014), Neel Mehta of Google Security & his team reported a bug, with potentially massive consequences, to the OpenSSL team. When I say massive, I mean experts predict that over 50% of all sites are or have been affected in the past and present.

Anyone use Pinterest? Yahoo? Airbnb? We recommend you listen up.

So, what is Heartbleed bug?

To boil it down, there’s a hole in the encryption process allowing hackers to access security keys & undermining a site’s security that is using a SSL certificate. They can move in, steal your important data, and leave without a trace. Most, if not all of these attacks can be done in such a way that they’ve been going on for the past 2 years & no one, not even Google, knew about them. That’s scary!

What are we doing about it?

Here at Wex Marketing, we develop all of our e-commerce sites around the latest & greatest security features & practices – including implementing at least a 256-bit SSL security certificate. Unfortunately the bug that was just announced has been “open season” for a long time (up to 2 years!). The affected versions are listed as: 1.0.1 through 1.0.1f on servers running Apache and Nginx software.

Since the announcement, we have been hard at work communicating with our host companies (who handle the SSL side of things) to make sure all our sites have been updated with the latest OpenSSL fix that came out shortly after the announcement.

What can you do about it?

As we touch up the SSL versions, we recommend you change all important passwords – including, but not limited to email, site backends, payment gateways, etc…even personal bank accounts! By now, we expect all the major institutions to have applied the fix, but just to be safe, change all important passwords!

Curious if your site (or a site you use) is vulnerable? Check it with this tool by LastPass

What to know more?

If you want to dig deeper, check out heartbleed.com or read the official announcement put out by the US-CERT (Computer Emergency Readiness Team, part of the Department of Homeland Security)