Heartbleed - Shopify sites effected?

Highlighted
Shopify Partner
1 0 2

Hi please update us on this, if Shopify makes use of Open SSL? Heartbleed.com

Thanks,

Mike

 

2 Likes
New Member
1 0 0

According to the tools available, Shopify does use OpenSSL. They have appeared to patch the issue, but have yet to re-issue new certificates. This has me concerned. 

ext 65281 (renegotiation info, length=1) ext 00011 (EC point formats, length=4) ext 00035 (session ticket, length=0) ext 00015 (heartbeat, length=1) <-- Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check. Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug. Checking your certificate Certificate has NOT been reissued since the 0day. <-- Your stuff may be compromised. Consider changing the certificate and passwords.
 

0 Likes
Shopify Staff (Retired)
Shopify Staff (Retired)
4 0 1

Hi Chris,

All of our certificates were reissued within 24 hours of the vulnerability announcement. It looks like the tool you're using to verify may have some faulty logic. If you can send over your test details including the domain name and tool you're using to security@shopify.com we'll definitely take a closer look just to make sure.


Thanks,

Mark Hayes
 

0 Likes
Shopify Partner
8 0 2

If I input checkout.shopify.com at https://lastpass.com/heartbleed/, it says the following:

Detected server software of nginx
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for checkout.shopify.com valid 3 days ago at Apr 6 17:16:09 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

0 Likes
Tourist
32 0 2

This is from LastPass a few minutes ago.

"Site: checkout.shopify.com
Server software: nginx
Vulnerable: Definitely (known use OpenSSL)
SSL Certificate: Unsafe (created 4 days ago at Apr 6 17:16:09 2014 GMT)
Assessment: Wait for the site to update before changing your password"

I'd like to let my customers know the situation.  Is it safe for them to shop?  Should they logon and create new passwords?  Please address this issue.  If it's not serious, it would be good to know.  If it is, it should be taken care of.

Thanks,

Leslie

cooleastmarket.com

0 Likes
Shopify Staff
Shopify Staff
84 0 1

Hi Tai and Leslie,

We do use OpenSSL and nginx at Shopify. We re-generated all our certificates the morning of April 8, after the bug was announced.

The certificate authority that we use to issue our certificates backdates the start date of certificate validation by a few days.

The reason for the backdating is because some computers (especially older, personal computers) have clock inconsistencies due to a variety of factors. They backdate the certificates to avoid any issues.

0 Likes
Shopify Partner
8 0 2

Hi Courtney. Sorry, I'm still not clear. Did you update your servers to fix the OpenSSL vulnerability before getting new certificates? New certificates alone are of no help - obviously the server needs to be patched first. Please clarify. Thanks!

0 Likes
Shopify Staff
Shopify Staff
84 0 1

Hi Tai – yes, our servers were patched prior to updating to the new SSL certificates.

0 Likes
New Member
2 0 0

The reason I went with Shopify, a hosted site, is so that I do not have to be concerned with security issues like I did with my previous open source OS commerce site.  How do I know if my site has not been compromised?  I'm not a techie and want to be able to focus on running my business, not concern myself with these issues. Please advise.

0 Likes
New Member
2 0 0

Is there an official statement from shopify that we can use to update our customers about this issue?

0 Likes