News of the Heartbleed bug has made the rounds throughout mainstream media and if would appear that the internet is coming to an end; fortunately, it’s not that bad. But Heartbleed is an insidious bug albeit focused only on a certain aspect of your website and here’s what you need to know to make sure your site’s encrypted transactions are safe.
- Do you have an SSL certificate at your site? If you know the answer is no, then you can stop here. You’re fine.
Not sure? Do you process credit card numbers via a payment gateway like authorize.net or PayPal pro? Then the answer is yes. If you still aren’t certain, head over to this tool, punch in your URL, and check. - If you have an SSL certificate, you need to contact your SSL provider ASAP to see if they’ve tested for vulnerabilities. Only the worst of providers haven’t done that already and most have already reached out to users with status updates.
- If you don’t process transactions directly and instead, rely on a box office provider to do that for you at their hosted site (most do these days), you still need to be in touch with them ASAP to make sure they’ve tested their SSL configuration and know if there are/were any vulnerabilities. After all, these are still your patrons and they’ll (rightly) blame you if their payment data was compromised.
- An additional point of contact for an SSL certificate is a secure email client so if you process email via a separate server than your website and it uses an SSL certificate, you’ll need to check that connection as well via the respective provider.
If you have a good provider, this whole scare has probably blown right past you. I’m thrilled to say that my hosting partner (who also handles installing and maintain SSL certs) for The Venture Platform is not only good, they are great; as a result, all of our users with SSL certificates had zero vulnerability issues.
Granted, we still spent most of yesterday double and triple checking any potential weak points but when it was all said and done, we were shipshape (knock on wood).
If you think your data may have been compromised by a website or email server with a compromised SSL certificate, you should update your passwords ASAP, which is a good habit to get into anyway. Here’s a good resource for creating a strong password and guidelines on how often you should update them.