Re: Addressing Heartbleed security issue with MIVA
BTW, here's a tutorial on how to get customers to force a PW change:
https://support.mivamerchant.com/sup...count-password
Announcement
Collapse
No announcement yet.
Addressing Heartbleed security issue with MIVA
Collapse
X
-
Re: Addressing Heartbleed security issue with MIVA
skepticwebguy,
I'm not on one of the compromised versions, and not hosted with Miva. Will the upgrade affect anything in my mivavm.conf file? I assume that the certs for Empresa 5.19 will need to be updated?
Example entry for the mivavm.conf:
If currently set to:
cadir=/path/to/mivavm-v5.19/certs/openssl-0.9
change to:
cadir=/path/to/mivavm-v5.19/certs/openssl-1.0
You will also want to confirm the path to the new OpenSSL files (also configured within the mivavm.conf) are correct as well.
Example:
openssl=/path/to/libssl.so
openssl_crypto=/path/to/libcrypto.so
Contact Miva Support if you run into any other questions or issues.
Thank you,
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
I'm not on one of the compromised versions, and not hosted with Miva. Will the upgrade affect anything in my mivavm.conf file? I assume that the certs for Empresa 5.19 will need to be updated?Last edited by skepticwebguy; 04-15-14, 10:01 AM.
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
Yes, we recommend upgrading to the latest OpenSSL. If you're on one of the compromised versions it's more than a recommendation.
If you're hosted with us, we've already upgraded it for you.
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
Does Miva recommend upgrading our servers to OPENSSL 1.0.1? I'm running Miva Merchant Engine 5.19, with Miva Merchant 5.5.
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
Sorry, meant vulnerable!
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
This wasn't an infection type scenario. Our servers were vulnerable for a small window and we patched them within minutes of the patch being released the other night.
We're working on both a tool to assist in this process (customer account password resets) and a blog post on recommended actions.
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
Now that the cat is out of the bag (heart bleed) and ecommerce customers know about it, shouldn't store owners assure them that their site isn't effected and at the same time ask to change the password - just to be sure? Without doing this sales could drop significantly.
BTW I hope Miva's (Hostasaurus') server are not infected ;-)Last edited by PCINET - Andreas; 04-10-14, 08:03 AM.
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
Personally, I wouldn't "force" users. I'd strongly encourage them. All that is needed for that is messaging on the Login screen.
Leave a comment:
-
Re: Addressing Heartbleed security issue with MIVA
We have the customer account reset on the Admin side (of course). I don't think it's ever come up on the Shoppers Side before. I'll ask Dev tomorrow about that process.
Leave a comment:
-
Addressing Heartbleed security issue with MIVA
The Heartbleed openssl security issue reveals that MIVA Merchant lacks some tools that online merchants could use.
I'm investigating how to force customers to do a password reset on their next MIVA login. How do I do this with MIVA 5.5? (PR8.12)
The customer settings should include a "force password reset" as an option (both individually and globally)
Can anyone suggest a solution?
Leave a comment: