OK, I accept

This site uses cookies. By using this site, you acknowledge and accept this.

Your basket is empty
Login not logged in

Heartbleed bug - does my Kartris site need updating?

11 Apr 2014

What is the Heartbleed bug?

The Heartbleed bug has received a lot of high-profile media coverage over the last few days. The bug is undoubtedly serious as it potentially exposes any sensitive data transferred between a supposedly 'secure' server and a web browser. The media has highlighted the huge number of web sites that are/were affected, well over 50% of those on the internet including large ones such as Google, Yahoo and Facebook.

Why are only some secure sites affected?

It's important to understand however that this is not a bug with SSL itself, rather it is a bug with a popular implementation of this - OpenSSL - which is widely used in open source code. Kartris is designed to run on Windows server, and the IIS web server within this is NOT affected by Heartbleed because it uses Microsoft's own implementation of SSL and not the OpenSSL code.

Are all sites running on Windows server safe?

There are some exceptions. It is possible to run open source web servers like Apache on Windows. However, in practice, nobody does this - and Kartris won't run on Apache. If you have hosting for your Kartris site, it *will* be on IIS, Microsoft's web server. Some hosts also implement SSL, even for Windows servers, using Apache or ngix servers sitting in front of the Windows machines. However, Kartris will not work properly with SSL implemented in this way (because when it checks to see if the page is secure, it thinks it isn't because SSL is not implemented on the Windows server, and so it will go into a redirect loop). So in summary, your Kartris is should be safe, but check regarding your server with your host if you are in any doubt.

So I don't need to do anything?

While your Kartris site is not vulnerable, it is still advisable to change your username/pw if you use that elsewhere or may have transferred those details through a system which could have been vulnerable. Kartris won't leak those details, but another site where you use them might have done.

Also consider that your payment system may run on servers which are affected. So you should change your passwords there, or verify from the vendor that their system is not affected.

It is also a good time to consider implementing IP address security on your back end too. While unrelated to Heartbleed, it provides another valuable layer of security for your site by preventing access to the back end, even if someone had obtained your login details.

Implement back end IP security on Kartris

Powered by kartris