Major Security Update: Heartbleed

Late yesterday evening there was a major security vulnerability, called Heartbleed, announced with SSL certificates globally. These certificates are what provide security around ecommerce transactions as well as general data transmission over the internet (the “lock” in your browser). You can read more about the background and the technical details of the vulnerability here: http://heartbleed.com/ but what you need to know is that there was a major exploit announced which could allow hackers to gain access to all transmitted data that was previously secured.

What this means for you.

Nothing if you are a Blackboxx customer. The BlackSquare security team was alerted to and fixed the vulnerability within within four hours of the exploit being made public and within an hour of a patch being made available. All this was done without any interruption to any pieces of the Blackboxx platform due to our redundant architecture. This is a faster turn around time than major companies like Amazon or Yahoo!. In fact, Yahoo! didn’t fix the vulnerability until over 18 hours after the exploit was made public.

twitter

If you’re not a Blackboxx customer, there is a good chance you are not being provided with the best security available.

BlackSquare looks out for your security.

The Blackboxx SSL certificates, which are generated on behalf of all of our clients, use a TLS 1.2 / AES – GCM combination. You can think about this as the security protocol version (the TLS 1.2) as being the quality of your door and the Cipher (AES-GCM) being the quality of your lock. If you have a great lock, but your door is made of paper, then it won’t do you much good (and vice versa). This is explained here on Wikipedia and you’ll notice the TLS 1.2 / AES – GCM combination is rated “secure” against publicly known feasible attacks.

Cipher
*Most ecommerce providers are currently insecure

What should you ask your ecommerce provider?

We have conducted a quick survey of the global wine ecommerce landscape and while there are varying security standards, and some providers use TLS 1.0 / RC4_128 and another major provider is running a SSL 3.0 / RC4_128 combination. These combinations are insecure.

TLS

In fact, Microsoft suggested in November 2013: “In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance.

checkyoursite
*Check your site by clicking the secure lock in the address bar.

Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM.”

Check your SSL certificate status (click on the lock on your website, and then click on “Connection”) or ask your ecommerce provider what security combination they are running on your site. If you’re concerned about data security, and you should be, give us a call and we’d be happy to help.