According to the tools available, Shopify does use OpenSSL. They have appeared to patch the issue, but have yet to re-issue new certificates. This has me concerned.
ext 65281 (renegotiation info, length=1) ext 00011 (EC point formats, length=4) ext 00035 (session ticket, length=0) ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check. Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug. Checking your certificate Certificate has NOT been reissued since the 0day. <-- Your stuff may be compromised. Consider changing the certificate and passwords.
All of our certificates were reissued within 24 hours of the vulnerability announcement. It looks like the tool you're using to verify may have some faulty logic. If you can send over your test details including the domain name and tool you're using to firstname.lastname@example.org we'll definitely take a closer look just to make sure.
If I input checkout.shopify.com at https://lastpass.com/heartbleed/, it says the following:
Detected server software of nginx
That server is known to use OpenSSL and could have been vulnerable.
The SSL certificate for checkout.shopify.com valid 3 days ago at Apr 6 17:16:09 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.
This is from LastPass a few minutes ago.
Server software: nginx
Vulnerable: Definitely (known use OpenSSL)
SSL Certificate: Unsafe (created 4 days ago at Apr 6 17:16:09 2014 GMT)
Assessment: Wait for the site to update before changing your password"
I'd like to let my customers know the situation. Is it safe for them to shop? Should they logon and create new passwords? Please address this issue. If it's not serious, it would be good to know. If it is, it should be taken care of.
Hi Tai and Leslie,
We do use OpenSSL and nginx at Shopify. We re-generated all our certificates the morning of April 8, after the bug was announced.
The certificate authority that we use to issue our certificates backdates the start date of certificate validation by a few days.
The reason for the backdating is because some computers (especially older, personal computers) have clock inconsistencies due to a variety of factors. They backdate the certificates to avoid any issues.
The reason I went with Shopify, a hosted site, is so that I do not have to be concerned with security issues like I did with my previous open source OS commerce site. How do I know if my site has not been compromised? I'm not a techie and want to be able to focus on running my business, not concern myself with these issues. Please advise.