Recently, the news has been full of stories about this so-called Heartbleed bug. It’s one of the worst internet flaws ever uncovered, and it got millions of people shaking in their virtual boots. What is the Heartbleed bug? It is a security flaw that was uncovered in early April in software called OpenSSL. This software is designed to encrypt communications between a user’s computer and a web server. It’s been likened to a sort of secret handshake at the beginning of a secure conversation. The name ‘Heartbleed’ came from the extension to SSL (Secure Sockets Layer) that is affected, which engineers called Heartbeat.
OpenSSL is used extensively throughout the internet – it’s thought that around two-thirds of all websites use it. From major sites, like as Google and Yahoo!, to small sites run by individuals, the list is huge. Mumsnet and the Canada Revenue Agency are just two sites that have reported that they have had data stolen via the Heartbleed bug.
Heartbleed affects much more than just websites, but it’s important to know what types of websites may be affected. Ecommerce shopping sites, financial institutions, web-based e-mail, and social media — fundamentally any website for which you need to login to with a username and password — are all potentially susceptible to Heartbleed. These usually have a website address that begins with HTTPS, where the ‘S’ stands actually for ‘Secure’ – ironic, I know.
When the bug came to light, a security update was released that closed the hole. Do you know if your web host has done their job and ensured that the server your website is running on has been updated?
Working with a reputable hosting provider is vital to ensure that your site is as well-protected as it can be. Good hosting needn’t be very expensive, but ‘cheap’ isn’t necessarily a sign of good value. Many websites use scripting languages and database facilities, such as PHP and MySQL. These are constantly under review and development, with security patches and new features released on a regular basis. Is your hosting provider keeping on top of these releases and installing these updates on your server? As soon as the Heartbleed vulnerability was announced, our servers were updated with the necessary security fixes.
What about backups? Do you have access to be able to take regular backups of your website? Not sure? Just ask your host if you have the facility to do this. If you wouldn’t know how to go about taking a backup yourself, you should at least have the reassurance that your hosting provider is taking regular backups. Sites that we host are backed up daily, with an archive going back to up to the last 30 days.
A new client for whom I was building a fresh website was keen to have the new site hosted with their existing provider. The software being used to build the site had certain server requirements to be able to run. After checking with their current host as to whether their system was up to spec, it transpired that their servers were running scripting and database versions that had been superseded four years previously! No prizes for guessing where the new site is hosted.
It’s almost akin to running your nice new, shiny car with cheap, worn tyres; it may work for a while, but it will inevitably end in tears. Just make sure that it’s not you that needs the handkerchief.