Has your business implemented Heartbleed fixes? If not, then you are already late to the party, and are risking more than you might know. If you are a bank, online merchant, or software provider and you haven’t taken steps to protect your customers then you are risking their passwords, IDs, and all their private information.
What is HeartBleed?
You know all that top secret, private information like passwords and bank account information? Picture all of that falling into a software attacker's hands. Scary thought isn’t it? Well that is the reality of The Heartbleed Bug. This weakness allows stealing of information that is normally protected by SSL/TLS encryption used to secure the Internet.
What Is Normally Protected by SSL?
SSL security provides privacy over the Internet for applications such as web, email, instant messaging (IM) and virtual private networks. In a nutshell, your user-IDs, passwords, credit card numbers, and everything you put online is open for hackers to pocket. Not only do businesses need to make changes, users do to. Learn what steps to take to protect your private information from Heartbleed.
Why Ignoring Heartbleed Is Not An Option for Businesses
As a business owner you might really want to ignore this problem, but the truth is you can’t afford to. Users are well aware of Heartbleed's potential and will be checking to make sure their favorite websites are protecting them. If you do choose to ignore Heartbleed then you are compromising your users names, passwords, and actual content. Heartbleed allows attackers to eavesdrop on communications, steal data directly from the services and users and to even impersonate services and users.
The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.
How to Stop the Bleeding?
As long as the vulnerable version of OpenSSL is being used by your company then your users are at risk. A good solution is using “Fixed OpenSSL.” The Fixes OpenSSL has been released, but it is up to your company to implement it. Operating system vendors and distribution, appliance vendors, and independent software vendors have to adopt the fix and notify their users. Please do not ignore Heartbleed. This really is a bad bug that can do a lot of damage. Don’t be that company who ignores this issue and puts all its customers at risk.
Once you have updated your SSL, you will have to take a few more steps. You will need to revoke your old SSL digital certificate from your Certificate Authority and get a new one. Without taking this extra step, your old keys which have been harvested by hackers can still be used as an open door to walk right through your new SSL.
As soon as you have completed your SSL, and updated your certificate with a new one, you will need to tell all your users and customers to change their passwords. Sure, no one likes changing their passwords, but it’s an absolute must for them.
As a business it is up to you how you frame this email or message, but we highly suggest explaining why they need to change their passwords. Taking a little extra time to explain what Heartbleed is, and explaining the measures you have taken to protect them will strengthen their confidence in your services and keep them from canceling their account with you.
Thank you for taking the time to read our blog, if you have any question about Heartbleed, or need help transitioning your SSL please leave a comment below. Or contact us directly for help.