Announcement

Collapse
No announcement yet.

OpenSSL Heartbleed vulnerability - ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    OpenSSL Heartbleed vulnerability - ?

    Are there any issues we store owners need to deal with or any attention needed server wise?

    For those who don't know what this is. Here is an explanation. http://mashable.com/2014/04/09/heart...ites-affected/
    Last edited by Datagg; 04-10-14, 09:05 PM.
    Dan

    Girlfriends Lingerie - "Keeping It Sexy!"
    Sexy Lingerie - Twitter - Facebook- Pinterest - YouTube

    #2
    Re: OpenSSL Heartbleed vulnerability - ?

    Hi Dan, here's more info http://www.mivamerchant.com/blog/hea...merchant-store
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #3
      Re: OpenSSL Heartbleed vulnerability - ?

      I got an email from GeoTrust that listed several steps that need to be taken. It is all Greek to me and probably 90% of the other store owners. Are we supposed to be doing something or are the server folks who installed our certificates taking care of it?

      # Generate a new Certificate Signing Request (CSR).
      # Reissue any SSL certificates for affected web servers using the new CSR (do this after moving to a patched version of OpenSSL).
      # Install the new SSL certificate and test your installation.
      # After the new certificate is successfully installed, revoke any certificates that were replaced.
      # Website administrators should also consider resetting end-user passwords that may have been visible in a compromised server memory.
      Bill Weiland - Emporium Plus http://www.emporiumplus.com/store.mvc
      Online Documentation http://www.emporiumplus.com/tk3/v3/doc.htm
      Question http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS
      Facebook http://www.facebook.com/EmporiumPlus
      Twitter http://twitter.com/emporiumplus

      Comment


        #4
        Re: OpenSSL Heartbleed vulnerability - ?

        If your cert was ordered through us, you can have our support staff generate a new one and have it reissued.
        David Hubbard
        CIO
        Miva
        [email protected]
        http://www.miva.com

        Comment


          #5
          Re: OpenSSL Heartbleed vulnerability - ?

          Since this is something that is recommended - will you be sending out notices to store owners (hosted at Miva Merchant) to request cert regen/reissue?
          Leslie Kirk
          Miva Certified Developer
          Miva Merchant Specialist since 1997
          Previously of Webs Your Way
          (aka Leslie Nord leslienord)

          Email me: [email protected]
          www.lesliekirk.com

          Follow me: Twitter | Facebook | FourSquare | Pinterest | Flickr

          Comment


            #6
            Re: OpenSSL Heartbleed vulnerability - ?

            Originally posted by lesliekirk View Post
            Since this is something that is recommended - will you be sending out notices to store owners (hosted at Miva Merchant) to request cert regen/reissue?
            Indeed. If this is necessary at this point should we initiate a ticket to do so, or will it just be done?..
            Dan

            Girlfriends Lingerie - "Keeping It Sexy!"
            Sexy Lingerie - Twitter - Facebook- Pinterest - YouTube

            Comment


              #7
              Re: OpenSSL Heartbleed vulnerability - ?

              Thanks David. I submitted a support request.
              Bill Weiland - Emporium Plus http://www.emporiumplus.com/store.mvc
              Online Documentation http://www.emporiumplus.com/tk3/v3/doc.htm
              Question http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS
              Facebook http://www.facebook.com/EmporiumPlus
              Twitter http://twitter.com/emporiumplus

              Comment


                #8
                Re: OpenSSL Heartbleed vulnerability - ?

                We're prioritizing people who request them, so submit a ticket if you will.
                Thanks,

                Rick Wilson
                CEO
                Miva, Inc.
                [email protected]
                https://www.miva.com

                Comment


                  #9
                  Re: OpenSSL Heartbleed vulnerability - ?

                  Sent request in also. Thanks guys.
                  Last edited by Datagg; 04-11-14, 09:37 AM.
                  Dan

                  Girlfriends Lingerie - "Keeping It Sexy!"
                  Sexy Lingerie - Twitter - Facebook- Pinterest - YouTube

                  Comment


                    #10
                    Re: OpenSSL Heartbleed vulnerability - ?

                    The likelihood of certificate data being stolen is relatively low, and using that data for a malicious purpose is even lower. It is of course a risk though. Here's a very technical article from Cloudflare on some of the intricacies of trying to steal keys from memory:

                    http://blog.cloudflare.com/answering...ing-heartbleed

                    They've even launched a challenge for people to show they successfully stole a private key.

                    Now, a much greater risk is that user credentials were stolen from memory, such as if a website uses authentication of some sort for protected content. Or cookie and session data was stolen, that allows someone to remain logged in to a protected website; Facebook being a great example.
                    David Hubbard
                    CIO
                    Miva
                    [email protected]
                    http://www.miva.com

                    Comment


                      #11
                      Re: OpenSSL Heartbleed vulnerability - ?

                      "Now, a much greater risk is that user credentials were stolen from memory, such as if a website uses authentication of some sort for protected content."

                      I am assuming that since our site DOESN'T have CUSTOMER accounts (well, it does, but we don't link to the account page and no one ever creates an account), that takes one risk factor off the list, correct?

                      Are we still at risk though that someone may have stole our admin login credentials?
                      Mark Romero
                      ~~~~~~~~

                      Comment


                        #12
                        Re: OpenSSL Heartbleed vulnerability - ?

                        Are we still at risk though that someone may have stole our admin login credentials?
                        Yes.
                        Thanks,

                        Rick Wilson
                        CEO
                        Miva, Inc.
                        [email protected]
                        https://www.miva.com

                        Comment

                        Working...
                        X