How E-commerce Players Can Prevent Heartbleed Bug

by CXOtoday News Desk    Apr 11, 2014


The Heartbleed bug, which was announced earlier this week, have already infected over two-thirds of web servers worldwide, including numerous e-commerce sites. The so-called bug is a serious flaw in some versions of popular, open-source security software used to protect encrypted data like passwords or payment card information during online transactions. In a recent blog, Armando Roggio, e-commerce expert and the director of marketing and ecommerce for a multi-channel retail chain explains how e-commerce players and online retailers should know this deadly security bug.

Heartbeat is an extension to the TLS protocol that allows a server and a client (a web browser for instance) to maintain an open connection when no data is being transferred back and forth.

“Without getting too technical, the Heartbeat extension works by having one party — the web browser as an example — send a random message with a payload (content) of some number of bytes that the other party — the web server in this example — is supposed to reply with a mirrored message of the same number of bytes,” states Roggio in his Practical Ecommerce blog.

Unfortunately, the line of code that is supposed to confirm that the message payloads matched was simply missing in the aforementioned versions of OpenSSL. “Essentially, any properly formed message could get a response from the server. Thus, information is bleeding, if you will, from the heartbeat, giving us the Heartbleed bug,” says he.

On why online retailers should be concerned about Heartbleed is because online merchants that adhered perfectly to the Payment Card Industry Digital Security Standard (PCI DSS) and took every prudent precaution to protect customer’s private information or payment card numbers may still have been vulnerable, Roggio writes. Even some exclusively brick-and-mortar retailers could have been vulnerable.

The bottom line is that customer’s private information and payment card numbers are at risk and every merchant should seek to protect customers.

Roggio explains some of the steps how online merchants can protect customer data from Heartbleed. “First of all, ensure that if your web server was running one of the vulnerable versions of OpenSSL, that it is updated, patched, or recompiled without the heartbeat extension immediately. This will remove the security threat moving forward,” he says.

Unfortunately, since there is really no way to know whether or not a particular web server was already compromised, meaning that some hacker or hackers already has the web server’s private keys, retailers will need to revoke and replace SSL certificates once they are certain that the server is running a secure version of OpenSSL, explains roggio.

“Finally, it may be a good idea to reset user passwords, since if a server was already compromised the bad guys and gals could already have users’ current passwords,” notes Roggio, adding that given the scope and risk associated with the Heartbleed bug, it is a very good idea to change passwords for most, if not all, important business accounts, especially, banking passwords.