Announcement

Collapse
No announcement yet.

Addressing Heartbleed security issue with MIVA

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Addressing Heartbleed security issue with MIVA

    The Heartbleed openssl security issue reveals that MIVA Merchant lacks some tools that online merchants could use.

    I'm investigating how to force customers to do a password reset on their next MIVA login. How do I do this with MIVA 5.5? (PR8.12)

    The customer settings should include a "force password reset" as an option (both individually and globally)

    Can anyone suggest a solution?

    #2
    Re: Addressing Heartbleed security issue with MIVA

    We have the customer account reset on the Admin side (of course). I don't think it's ever come up on the Shoppers Side before. I'll ask Dev tomorrow about that process.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    Comment


      #3
      Re: Addressing Heartbleed security issue with MIVA

      Personally, I wouldn't "force" users. I'd strongly encourage them. All that is needed for that is messaging on the Login screen.
      Bruce Golub
      Phosphor Media - "Your Success is our Business"

      Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
      phosphormedia.com

      Comment


        #4
        Re: Addressing Heartbleed security issue with MIVA

        Now that the cat is out of the bag (heart bleed) and ecommerce customers know about it, shouldn't store owners assure them that their site isn't effected and at the same time ask to change the password - just to be sure? Without doing this sales could drop significantly.

        BTW I hope Miva's (Hostasaurus') server are not infected ;-)
        Last edited by PCINET - Andreas; 04-10-14, 08:03 AM.
        Andreas Toman
        PCINET, LLC

        Miva Merchant Design, Development, Integration & Support
        We built over 200 Miva Merchant stores!
        Miva shopping cart design & integration service and see our Portfolio!


        e-mail: [email protected]
        web: www.pcinet.com
        LinkedIn: Andreas Toman
        phone: (786) 250-2056 (Miami, FL)

        Comment


          #5
          Re: Addressing Heartbleed security issue with MIVA

          This wasn't an infection type scenario. Our servers were vulnerable for a small window and we patched them within minutes of the patch being released the other night.

          We're working on both a tool to assist in this process (customer account password resets) and a blog post on recommended actions.
          Thanks,

          Rick Wilson
          CEO
          Miva, Inc.
          [email protected]
          https://www.miva.com

          Comment


            #6
            Re: Addressing Heartbleed security issue with MIVA

            Sorry, meant vulnerable!
            Andreas Toman
            PCINET, LLC

            Miva Merchant Design, Development, Integration & Support
            We built over 200 Miva Merchant stores!
            Miva shopping cart design & integration service and see our Portfolio!


            e-mail: [email protected]
            web: www.pcinet.com
            LinkedIn: Andreas Toman
            phone: (786) 250-2056 (Miami, FL)

            Comment


              #7
              Re: Addressing Heartbleed security issue with MIVA

              Does Miva recommend upgrading our servers to OPENSSL 1.0.1? I'm running Miva Merchant Engine 5.19, with Miva Merchant 5.5.

              Comment


                #8
                Re: Addressing Heartbleed security issue with MIVA

                Yes, we recommend upgrading to the latest OpenSSL. If you're on one of the compromised versions it's more than a recommendation.

                If you're hosted with us, we've already upgraded it for you.
                Thanks,

                Rick Wilson
                CEO
                Miva, Inc.
                [email protected]
                https://www.miva.com

                Comment


                  #9
                  Re: Addressing Heartbleed security issue with MIVA

                  I'm not on one of the compromised versions, and not hosted with Miva. Will the upgrade affect anything in my mivavm.conf file? I assume that the certs for Empresa 5.19 will need to be updated?
                  Last edited by skepticwebguy; 04-15-14, 10:01 AM.

                  Comment


                    #10
                    Re: Addressing Heartbleed security issue with MIVA

                    skepticwebguy,

                    I'm not on one of the compromised versions, and not hosted with Miva. Will the upgrade affect anything in my mivavm.conf file? I assume that the certs for Empresa 5.19 will need to be updated?
                    If upgrading from OpenSSL v0.9; you will need to modify the mivavm.conf to point to the OpenSSL v1 cert files.


                    Example entry for the mivavm.conf:
                    If currently set to:
                    cadir=/path/to/mivavm-v5.19/certs/openssl-0.9


                    change to:
                    cadir=/path/to/mivavm-v5.19/certs/openssl-1.0




                    You will also want to confirm the path to the new OpenSSL files (also configured within the mivavm.conf) are correct as well.


                    Example:
                    openssl=/path/to/libssl.so
                    openssl_crypto=/path/to/libcrypto.so


                    Contact Miva Support if you run into any other questions or issues.


                    Thank you,
                    Wayne Smith

                    Comment


                      #11
                      Re: Addressing Heartbleed security issue with MIVA

                      BTW, here's a tutorial on how to get customers to force a PW change:

                      https://support.mivamerchant.com/sup...count-password
                      Thanks,

                      Rick Wilson
                      CEO
                      Miva, Inc.
                      [email protected]
                      https://www.miva.com

                      Comment

                      Working...
                      X