Earlier this week, a security flaw known as Heartbleed was published that affects approximately two-thirds of all websites that use SSL encryption. This issue greatly impacts ecommerce websites because every online store that accepts credit cards must use SSL encryption.
Since its disclosure, there have been many news reports about Heartbleed and how it’s affecting websites, software and services across the internet. We want to provide more details on Heartbleed and how it affects ecommerce merchants. Most importantly, we want to stress that merchants and their customers using Shopify are safe from Heartbleed.
What is Heartbleed?
Heartbleed affects SSL, the security technology that is used for establishing an encrypted link between a web server and a browser. You know when you’re browsing a site using SSL when you see “https://” and the lock icon in your web browser. Heartbleed is a serious security bug that is present in the popular OpenSSL library that is used by many web servers to provide SSL security.
The Heartbleed issue could allow an attacker to access private memory on a web server. That memory could contain user passwords, credit card numbers, private security keys, or other such information.
This is a major security problem that affected, and continues to affect, millions of websites that use SSL.
How Did Heartbleed Affect Shopify?
As mentioned earlier, every ecommerce website that uses Shopify is secure against Heartbleed.
During the middle of day on April 7th, the Heartbleed issue became widely disclosed. The Shopify network security and operations team immediately set to work to protect our hosting infrastructure. By 7:00 p.m. they had rolled out a fix across core infrastructure, and by midnight all secondary systems had been secured. The operations team continued to work into the night, and by the following day, all keys and certificates had been re-issued.
Because of the rapid response of our operations team (faster than Google and Yahoo, for example) we haven’t detected any sensitive data being compromised. As a general precaution, we advise that you regularly change passwords, and other sensitive credentials like payment gateway and API credentials. This would be a good time to update all such passwords.
You can check your account login history for unusual activity by logging into your store admin, clicking on your name at the top left, then clicking “View your user account.” This will show when all your recently logins took place, what internet provider was used, and so on. You can also expire all your store’s active user sessions by clicking the appropriate button on your Account Settings page.
What About Other Ecommerce Systems?
Heartbleed affects millions of ecommerce websites. To determine if your ecommerce website is vulnerable to the issue, you can use the following tool: Heartbleed Test.
If your site is found to be vulnerable, please contact your hosting provider or network administrator immediately and ask them to upgrade their OpenSSL implementation. They will also need to cycle your ecommerce site’s SSL keys and certificates (and revoke your old ones, if possible). You should then also update any passwords, including your payment gateway credentials.
It’s important to fix this issue as soon as possible as there are already reports of this vulnerability being abused.
Is It Still Safe To Shop Online?
Because of all the publicity surrounding Heartbleed, one would assume that the majority of ecommerce sites will soon be secured against the issue. To re-iterate, all Shopify stores are safe from the Heartbleed vulnerability.
Meanwhile we do suggest the Chromebleed Checker extension for the Google Chrome web browser, as it will warn you if any website you enter your credit card details on is vulnerable to Heartbleed.
You can learn more about Heartbleed here.