Untitled Document
View RSS Feed

The ShipRush Product Management Blog

Heartbleed, Ecommerce, ShipRush and You

Rating: 4 votes, 5.00 average.
Even xkcd agrees, Heartbleed isn't funny.

Name:  heartbleed.png
Views: 1064
Size:  7.1 KB

The Heartbleed bug is a serious problem on the web right now, affecting most web servers. If you operate a web site, of any kind (ecommerce, blog, etc.) and you have an SSL certificate (e.g. you always or sometimes use "https://" to access the site, not just "http://"), then you need to know about this and make sure you are covered.

UPDATE: 11 AM Pacific, April 9: The ShipRush team grabbed the urls of 10 random ZenCart and Magento stores using ShipRush and ran them through the vulnerability tester at http://filippo.io/Heartbleed/. Of the 10, THREE were found to have the vulnerability. This could be you! Most vulnerable are PHP based systems that tend to run on Apache and related web servers.

UPDATE: 10 PM Pacific, April 9: Of the three vulnerable sites, two have been fixed so far. Have you checked your web store?

The quick read: There is a standard module that is used in the open source world for handling SSL (the "s" in "https"). This module, called "OpenSSL" is used by the web servers that almost every Linux and OSX web server runs. In the Linux and OSX worlds, the dominant web servers are Apache and Nginx. Many many versions of both of these web servers have the vulnerability. (And this vulnerability may affect you even if you run these servers on Windows.)

So what is vulnerable? As long as your server is vulnerable, important data like passwords, encryption keys, and other data that can be used to attack your system can be read remotely, by anyone, at any time.

Can I tell if I have been compromised? No. There is no logging of the attack on you. You have no way of knowing if you have been attacked or if potentially sensitive data has been accessed.

How can I protect my servers? The only way to protect yourself is to upgrade your servers AND to change passwords a few times during the process..

How do I know if my server is at risk? The quickest way is to run the tester here: http://filippo.io/Heartbleed/ Just enter your server name. For example, if your Magento server is at https://www.super-widgets.com simply enter www.super-widgets.com.

Note: If you use Windows as your web server (and its IIS web server), you are not vulnerable to this issue. This issue affects Apache, Nginix, and other web servers which are primarily used Linux, Unix and OSX. (Big points to Microsoft on this one.)

So if you run your Magento/Zen Cart/Prestashop/Oscommerce/etc on a Windows server under IIS (you can, you know, it works rather well!), you can stop reading. You have nothing to worry about.

Otherwise, please continue:

Step 1: Check your own web servers, especially ecommerce / cart web sites that you own/manage.

Step 2: Get any vulnerable servers updated immediately. Contact your hosting provider to do this.

Step 3: Immediately (without waiting for Step 2) change admin access passwords to new, long, machine-generated passwords.

Step 4: After your server is patched up and no longer vulnerable (test it again with http://filippo.io/Heartbleed/ after the update is installed), change admin access passwords AGAIN to new, long, machine-generated passwords.

What does this affect in the world of ShipRush and Ecommerce?

ShipRush Desktop

If you use ShipRush on the desktop, including the ShipRush service, there is no known vulnerability. ShipRush does not accept inbound SSL calls. And as you know, ShipRush should never be used on a machine that is visible to the public internet.

My.ShipRush Web Site

The My.ShipRush web site is accessed over SSL. It runs on Microsoft IIS which is not vulnerable to this issue.

Ecommerce Sites Accessed by My.ShipRush Web

Your Magento/OpenCart/Zen Cart/etc servers may be vulnerable, but they are outside of the ShipRush-universe. You should check them as discussed above. Also, in My.ShipRush, check the url used to access your ecommerce system. Is it set to an https:// url? If not, we strongly recommend changing it to https!

Additional curated links to useful and important information:

Updated 04-10-2014 at 09:38 AM by Rafael Zimberoff

Tags: None Add / Edit Tags
ShipRush , Ecommerce