When the people in charge of keeping websites secure and keeping sensitive data private are running scared, you know it’s time to worry. A vulnerability called the Heartbleed Bug was discovered recently, and, one of the things that has people freaking out is that companies don’t know if their data was ever compromised over the two year period of vulnerability. To online shoppers and merchants alike, that’s frightening news.
The bug affects OpenSSL, an open-source implementation of the SSL and TLS protocols. SSL stands for Secure Sockets Layer, the standard security technology for establishing an encrypted link between a web server and a browser. This is what’s supposed to keep information – such as user IDs and passwords – safe from prying eyes.
Many people won’t enter credit card data into an online store unless they see the “s” in “https://” on their browser’s address bar. But now, reporters are quoting experts who say the security feature actually made the data less secure than if they hadn’t used OpenSSL, thanks to the bug.
Social networking site Tumblr worded it like this in a blog post on Tuesday: “the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.”
While reports indicate it’s a good idea to change your password on sites you use, it’s not clear exactly when you should do so. The bug is another example of why it’s a bad idea to use the same password on multiple websites.
Yahoo was caught with its pants down, and while security experts checking PayPal, eBay and Google said they were secure this week, that doesn’t mean they were never vulnerable.
Major ecommerce companies don’t appear to have communicated with customers about the vulnerability as of yet (except Etsy, see update below). Amazon did communicate with developers who use its cloud service to power their websites.
Monsoon Commerce appears to be one of the first ecommerce companies to blog about Heartbleed, writing on its blog that its technical team had begun assessing impact and vulnerabilities across all products, platforms, and service providers as soon as the vulnerability was announced.
Ironically, one of the companies affected by the vulnerability was a password manager, according to Cnet.
Keep an eye on the story as it continues to break, and if you operate an online storefront that uses HTTPS when customers go through checkout, check with your storefront provider and payment processors to ensure you take steps to protect the data of you and your customers.
Update 4/9/14: Etsy published a blog post on Tuesday informing users about the bug and what it had done in response to the vulnerability and advising users on what they should do.
Here’s a helpful article from the Washington Post published early Wednesday morning.
Leave a comment on the EcommerceBytes Blog.