How E-commerce Players Can Prevent Heartbleed Bug
The Heartbleed bug, which was announced earlier this week, have already infected over two-thirds of web servers worldwide, including numerous e-commerce sites. The so-called bug is a serious flaw in some versions of popular, open-source security software used to protect encrypted data like passwords or payment card information during online transactions. In a recent blog, Armando Roggio, e-commerce expert and the director of marketing and ecommerce for a multi-channel retail chain explains how e-commerce players and online retailers should know this deadly security bug.
Heartbeat is an extension to the TLS protocol that allows a server and a client (a web browser for instance) to maintain an open connection when no data is being transferred back and forth.
“Without getting too technical, the Heartbeat extension works by having one party — the web browser as an example — send a random message with a payload (content) of some number of bytes that the other party — the web server in this example — is supposed to reply with a mirrored message of the same number of bytes,” states Roggio in his Practical Ecommerce blog.
Unfortunately, the line of code that is supposed to confirm that the message payloads matched was simply missing in the aforementioned versions of OpenSSL. “Essentially, any properly formed message could get a response from the server. Thus, information is bleeding, if you will, from the heartbeat, giving us the Heartbleed bug,” says he.
On why online retailers should be concerned about Heartbleed is because online merchants that adhered perfectly to the Payment Card Industry Digital Security Standard (PCI DSS) and took every prudent precaution to protect customer’s private information or payment card numbers may still have been vulnerable, Roggio writes. Even some exclusively brick-and-mortar retailers could have been vulnerable.
The bottom line is that customer’s private information and payment card numbers are at risk and every merchant should seek to protect customers.
Roggio explains some of the steps how online merchants can protect customer data from Heartbleed. “First of all, ensure that if your web server was running one of the vulnerable versions of OpenSSL, that it is updated, patched, or recompiled without the heartbeat extension immediately. This will remove the security threat moving forward,” he says.
Unfortunately, since there is really no way to know whether or not a particular web server was already compromised, meaning that some hacker or hackers already has the web server’s private keys, retailers will need to revoke and replace SSL certificates once they are certain that the server is running a secure version of OpenSSL, explains roggio.
“Finally, it may be a good idea to reset user passwords, since if a server was already compromised the bad guys and gals could already have users’ current passwords,” notes Roggio, adding that given the scope and risk associated with the Heartbleed bug, it is a very good idea to change passwords for most, if not all, important business accounts, especially, banking passwords.
- Online-Offline Channel Mix Leads To India's Smartphone Growth: IDC
- There's Potential To Unlock USD 50-Bn in India's Online Commerce
- Online Retailers Seek Inventory Accuracy To Remain Relevant: Study
- Digital Spending In Retail To Grow By $118 Bn By 2022: Zinnov
- A Big Online Boost To India’s Small Businesses
- AR-VR Changing Customer's Shopping Experience
- How Augmented Reality Is Powering Mobile Commerce
- India Says 'Yes' To Net Neutrality; What Does It Mean
- What Google's Foray Into E-Commerce Means For India
- Have We Learnt A Lesson From Facebook-Cambridge Analytica Crisis?