Last week, the media exploded with reports on Heartbleed. Dramatic headlines claiming that ‘no one is safe’ and ‘the internet is evil’ preceded articles filled with web jargon and endless amounts of acronyms.
I thought I would try to explain ‘this Heartbleed thing’ in simple terms, with a short ‘Heartbleed for Dummies’ guide. So keep reading before you decide to close your online store, cancel your credit card or drown your smartphone!
Let’s start from the beginning.
A few quick terms you should know
When you access the World Wide Web, you begin by opening a web browser. For less web-savvy people, a web browser is a program on your computer that allows you to access a website. Examples of web browsers include Google Chrome, Mozilla Firefox and Safari.
Next, when you type in a link, your browser connects to a web server and requests a site/page. Then, the server sends the site/page back to the browser for you to view.
The SSL (‘Secure Sockets Layer’) is a technology that creates an encrypted or secure link between the web server and web browser, allowing you to access web content safely and privately.
Not every website has an SSL connection. To create an SSL connection, as opposed to a connection where security is not guaranteed, the web server needs an SSL Certificate. When you apply for this certificate, the Certification authority validates your details and issues your website a private key, which establishes a secure connection between your website and your customer’s web browser.
It’s more complicated than it sounds, but you can tell whether a website is protected by an SSL connection if it has a lock icon and an ‘https://’ before the URL that looks like this (we’ll use the Pixc site as an example):
SSL was designed to prevent hackers from retrieving personal data submitted by users to a website. It was designed to do this by securing the connections between a server and your browser. SSL encryptions are used by millions of websites to protect online transactions with customers; all online stores that accept credit cards must use SSL encryption.
So, what is Heartbleed?
Heartbleed is a bug, or a programming error, within the SSL software that exploits the data exchange between browsers and servers.
When you request information from a server, it gives you the exact information you requested. However, when an SSL-encrypted web server is affected by the Heartbleed bug, hackers are able to request data from the server’s private memory, which could contain user passwords, credit card details and private security keys — things you don’t want a hacker to know!
The reason Heartbleed poses a threat to online retailers and online shoppers is because, as I mentioned before, all online stores operate through SSL encryptions.
Stay calm! Here’s what to do
Don’t panic. The bug was found and this programming error has been fixed — vulnerable websites only need to update their SSL software to the newer version, which is bug-free.
To see if your website is vulnerable, use the Heartbleed Test. If your site is found to be vulnerable, contact your hosting provider or network administrator to update your SSL.
Many eCommerce platforms, including Shopify, have reassured their online store owners that all Shopify stores are safe to use, but recommend that you change your password as an extra security measure. This is a no-brainer; you should be changing your passwords every few months anyway.
For more info, check out The Heartbleed Bug information website.