Heartbleed – All LexiConn Servers Patched

heartbleed If you haven’t already seen or heard about Heartbleed, the large vulnerability that affected over half a million trusted websites, here is a synopsis, the status of our servers being patched, and my take on why the sky is NOT falling due to this issue.

LexiConn is Safe

Once this vulnerability was announced, we had all of our affected servers patched within a few hours. Note that the large majority of our servers were not vulnerable to this attack, as they run versions of the OpenSSL software that did not have the bug in them.

What is Heartbleed?

Heartbleed is a bug in the very popular OpenSSL cryptographic library used by many modern servers throughout the world. OpenSSL provides the backbone of the encryption used for SSL (i.e. secure) communications over the web.

The bug allows a would be attacker to access random “chunks” of memory from the server (64 Kb at a time). Over time, an attacker *could* get the secret key for the SSL security, and then use that key to go back and decrypt data they had collected.

The attack was discovered and published on April 7th. The severity of this exploit stems from a random attacker being able to request sensitive memory data without it triggering anything unusual in the server log files. The attacker does not need to be on the server, and it does not require a more complicated “man in the middle” attack vector.

How Real is this Threat?

The media sure likes to jump on a story like this. The “sky is falling” doomsday articles are a bit overblown.

That’s not to say this isn’t a big deal. It is. It needs to be taken seriously, and all internet providers should already be patched.

Once the exploit was released to the public (along with simple code anyone could run to take advantage of this bug), the threat became *VERY* real. Getting patched quickly was the best defense against Heartbleed.

However, here is my take on the odds of a hacker being able to find this vulnerability on his or her own, and then successfully use this information to exploit servers and data…

First, the hacker would have needed to be smart enough to find this vulnerability on their own. It took a team of researchers from a security company and Google to discover the flaw. It likely isn’t something the average hacker would have discovered on their own.

For the sake of argument, let’s say one of the top hackers out there found out about this flaw. They would have needed to keep it quiet (which is certainly possible), as no one else had heard about it before the team announced it a few days ago.

Next, they would have needed to launch a targeted attack against a site or group of sites that they wanted to try and compromise (and were running software vulnerable to this attack). This attack is not easy to exploit fully, as it takes time, skill, and patience to collect 64 Kb of random data, one connection at a time. Each fragment would need to be saved, and each one would need to be examined trying to obtain the secret private key that encrypts the data.

If this secret key were to be pieced back together, then the process of assembling these random fragments into usable chunks and then decrypting them begins. It’s not something you can just write a few lines of code for and hit the jackpot. It requires a great deal of resources and know-how to pull off.

If all of the above did happen, the hacker would probably want to target something big, like a bank or a large site like Yahoo. It’s highly unlikely they would target small business websites, as the effort expended would far outweigh the potential data they might recover.

As you can see, the odds of this being pulled off *BEFORE* the bug was announced to the public are probably quite low. In the neighborhood of being struck by lightning twice in the same spot on the same day kinda odds.

However, *AFTER* the bug was announced, the threat became much more real. With available code, the “script kiddies” could launch these attacks easily, and the potential for sensitive data to be found becomes quite high.

To reiterate, all LexiConn servers and accounts were fully patched against Heartbleed a few hours after the release was made public. The vast majority of our servers were not vulnerable to this attack at any time, so there was only a tiny chance it could have even been exploited in the past.

If you have any questions about this vulnerability as it relates to your account with us, just drop us an email, or give us a call.

ShopSite Tip: Order Notification Blocking May Affect You!

If your store is currently configured to send order notifications with the customer as the ‘From’ address (default setting), you may soon stop receiving these notifications.  This will apply to any merchant currently forwarding order notifications to GMail, Yahoo and other 3rd party mail servers.

This is true even if your store email address is at your domain.  Any action that would in turn forward that email off the server, would result in the message being marked as spam or rejected entirely.

Order notification settings can be verified under Commerce > Order System > E-Mail:

(click to enlarge)

(click to enlarge)

Why The Change?

Yahoo recently upgraded their DNS to include a signature that tells ISP’s and other mail servers an email from their domain is valid.  This signature, also known as a DMARC record, is only included on emails originating from Yahoo servers.  An order notification email originates on the server your store is hosted on and does not contain the required signature.  Email providers like GMail will see your hosting account as the origin for these Yahoo, AOL, GMail, and other customer email addresses and subsequently block the email from being delivered.

What Options Exist?

Luckily, for most, this is a simple fix.  By setting the ‘from:’ address on email order notifications to an address that matches your domain.  This way the emails originate from a domain that is expected, and should help with avoiding them being marked as spam.

To change the default setting, navigate to Commerce > Order System > E-Mail.  Next, select the option to use a specific email address, then enter one at your domain.

(click to enlarge)

(click to enlarge)

The only drawback is that you will not be able to directly reply to your customer from this order notification.  You would have to manually change the address.  It is worth it though if you forward your email.

It’s also *VERY* important that your store’s default email address is set to your domain, and not a GMail or Yahoo address. If not, customers may not get their receipts either.

Five Hidden Pitfalls Of Remotely Hosted Shopping Carts

pitfallsThere are two broad types of ecommerce solutions:

1. Software that is installed in a hosting account (like ShopSite or Magento)
-or-
2. Software as a service [SaaS] (no installation or ownership of files like Volusion, Shopify, BigCommerce, etc…) (Remotely hosted shopping cart)

Although the idea of not having to install or maintain any software may sound appealing, there are five drawbacks that you will want to consider…

1. Hidden Fees

At a quick glance, a remotely hosted solution may seem like a great deal. Some have low monthly fees. Others offer a ton of features at no additional cost. It can seem like a “no-brainer” to start with this type of solution.

hidden_fees

However, the devil is in the details, and there are two areas where costs can skyrocket:

Low bandwidth limits

Many of these ecommerce as a service solutions only include a few Gigabytes of monthly bandwidth (one even has a plan with just ONE gigabyte). If you have a handful of products, and use some hi-res images, it’s easy to exceed a few Gigabytes in just a few days.

If you read the fine print, the additional bandwidth fees can be quite high. Ranging from $5 per Gigabyte to $10 per Gigabyte! So, if your plan comes with 10 GB of bandwidth, and you have a few small videos and images that get downloaded/viewed a bunch of times, it’s not abnormal to see 50 Gigabytes in a month. At $10 per GB, that would be an additional $400 per month in fees!

Percentage of sales

Another tactic used by some of these providers is to take a percentage of your sales as an additional fee. When you’re starting out, this may be appealing, as your sales are low, and you can save money in the beginning.

However, let’s say you run a popular sale at low margin as a way to get your name out there. Add in an additional 1-2 percent that goes to your provider, combined with credit card fees, and you can quickly eat away any profit.

Keep this in mind when looking at other solutions. I don’t think your sales volume should be something that a provider gets to piggy-back on to make money themselves.

2. Moving away is very hard to do

moving_truck

Since the software is not something you own or even have access to, it makes these type of solutions non-portable. That means if you are not pleased with their level of service, or they have too much downtime, or you just want to take your existing store somewhere else, you can’t. You cannot use their solution unless it’s also hosted with them.

Contrast this with ecommerce software that is installed in your account. Something like ShopSite or Magento. With software that you do control, it’s easy to take your site and move it to a different host.

Software as a service solutions often make it difficult to migrate to another platform. Sometimes they restrict exports, or limit FTP downloads speeds. They don’t want you to leave, and make doing so a not so pleasant experience.

With other ecommerce software that is under your control, it’s often quite easy to switch platforms. Full exports are allowed, and you have access to all the files right in your account.

Always keep this in mind when choosing an ecommerce platform. Things may not always go smoothly, and it can be an eye-opening experience when you need to move and find many obstacles in your way.

3. Hosting is not their specialty

Many of these ecommerce solutions providers did not start out as web hosts. In fact, many of them used to sell their ecommerce software for use with other web hosts. They don’t have a background in hosting.

Hosting is more of an add-on than a core competency.

Does it matter? Yes, it can matter quite a bit.

Many of the features you may come to expect from a web host such as advanced email hosting, advanced access to your account via SSH or SFTP, and the ability to install other applications like a blog, are many times missing or severely lacking at a remote ecommerce provider.

Some don’t allow email at all at their service. Most will not allow ssh access. Many won’t let you install software such as WordPress, or custom scripts.

One SaaS provider even removed all FTP access in trying to deal with PCI issues.

These type of roadblocks when trying to build out your site can be frustrating, and may even impact your ability to operate efficiently. Take this into account before making a decision.

4. Updates are not under your control

This can be one of the worst issues to deal with for some online merchants. Since the software is under the provider’s direct control, and it’s often deployed in a shared / centralized fashion, updates are pushed out on the provider’s schedule.

You have no control over when and how updates are made to the software. On the surface, this may sound great. You don’t have to worry about upgrading the software.

But what if an upgrade breaks a feature you rely on? Or they remove a feature that is paramount to what you do? What happens if they perform this upgrade while you’re on vacation, and your store stops working?

With SaaS providers, they dictate when updates are performed. Since the software is centralized, you cannot run a different version, or opt not to upgrade.

However, if the software is under your direct control, you can decide when and if an upgrade will occur. You can work with your web host to pick a date to perform the upgrade.

If your web host is a hands-on managed provider, they’ll let you know when critical updates are needed, and can make the process painless. But at least you can have the final say when it comes to whether an update is applied to YOUR store. Giving up that control can be costly when things don’t go smoothly.

5. Customization can be a problem

custom_designSince you don’t have access to the source code, and the software is not even installed in your account, when you need a custom feature or solution, implementing it may be quite difficult if not impossible.

Things such as custom scripts, advanced design elements, or deeper API integration are often not available. This can force you to abandon desired features, or have odd workarounds that don’t fully accomplish your goals.

Remember, these type of services are not full hosting accounts, so adding in custom scripts, cron jobs, additional databases, or getting under the hood are not normally allowed.

If you go with ecommerce software that is installed in your web hosting account, then you have the freedom to add-in custom features. A developer or designer will have more options at their disposal to implement your desired features.

….

As you can see, SaaS ecommerce providers come with their share of issues. Many times these issues are not brought to light until it’s too late. From hidden fees to a lack of control, these solutions may not be the best choice for your online store.

Make sure you do your homework, and look into the hidden details that could become a roadblock to your store’s success.

Often times, choosing ecommerce software that you “own” can lead to a better outcome. It give *YOU*, the merchant, direct control over your store, and allows you to make decisions that best suit your needs. Combine this with choosing a web hosting company that can be your partner and provide you with personal support and outstanding service, and you will be well on your way to being a successful merchant, free to make your own choices when it comes to *YOUR* store.

photo credit

ShopSite Tip – Coupon Code Pop-Up

JavaScript can be used for a variety of features on the Shopping Cart page in ShopSite, such as this tip for showing the amount left to purchase to receive free shipping, and today we’re going to look at a very simple piece of code which will pop-up an alert to the customer with a coupon code.

Add This Coupon Code!

ShopSite has a large list of javascript variables which are available on the Shopping Cart for custom scripts, and we’ll use the “ss_subtotal” variable for this code.


<!-- Coupon Code After Cart Minimum -->
<script language="javascript" type="text/javascript">
coupon_limit = 500.00;
if (ss_subtotal >= coupon_limit){document.write('<strong>Guess What! Add coupon code "5off" to save 5% on your order!</strong>');}
</script>

Notes:

- Change the “coupon_limit” value to the minimum value you want the customer to have in the cart before the message appears.
- Update the text in the “document.write” line with the message you want to tell the customer and be sure that you include the coupon code you want them to enter.

Add The Script

That’s all there is to the script.  The next step is to place it where you want the message to appear.  This can be done by editing your shopping cart template, or you could test it by just adding the code to the Commerce Setup > Order System > Shopping Cart > “Text at the top of the Shopping Cart screen” field.

Most templates will display that field on the Shopping Cart screen.

For a working sample, click here to add a product to our demo store and as long as there is more than $500 in the cart a message will appear showing the coupon code to enter.  Once you’re on the cart change the quantity to 2 for that product and the message will appear.

Advanced Options

Since there are javascript variables for a variety of values, your developer could implement additional features to the code.  For example you could have it only appear if there were specific SKUs in the cart, or if there are no other coupons, or if a certain minimum quantity is in the cart – the possibilities are endless!

 

Our New Website is Live!

confettiBreak out the champagne and confetti! At least that’s how I feel after finalllllly getting the new website out the door.

We launched the new site this past Friday afternoon.

It was a long process, but one that required patience and attention to detail to get right.

Out with the old

It has been a number of years since we’ve redesigned our site. The “old” website was starting to look a little dated. It was designed for a small screen, used small text, and did not properly convey our focus and expertise.

In a nutshell…. It *HAD* to go:

Old site (click image to enlarge)

Old site (click image to enlarge)

The Process

Six months ago, we decided on a web design firm to help us find a new look that best represented our strengths and services. We opted to go with a local firm, although we could have worked with a remote company just as well.

Getting the homepage look down took a few iterations. From the size of the site, to the text, updated logo, and style of navigation, every aspect was examined in detail. Once we decided on a framework, work was done to build out landing pages, sub-pages, and come up with various templates we could use throughout the site.

The new site is not fully responsive, but is designed in such a way as to scale well on mobile. Our Google Analytics data shows we do not have a lot of mobile only traffic, so adding complexity for full responsive did not seem to be the right path.

We knew we wanted a site that expanded to fit the screen that is viewing it, along with fonts and text that were easy to read.

The Last Mile

The design process took up most of the time. After just over four months, we had finalized the design, and had our templates. Now the “hard work” began. We opted for an html based site, not one in a CMS like WordPress. We do use WordPress for our blog, but the main site is html based. We had to convert a few hundred pages into the new design – improve titles, alter layouts, re-write content, etc…

It was a lot of work, but we think the final product made it all worth it.  :)

new_website

New website (click image to enlarge)

The homepage now has a slider displaying our four areas of expertise. Our top global navigation bar allows a visitor to easily find most pages on our site. The footer has links to all the main areas on the site. Throughout the website we try to convey our focus on personalized service and in-house support for our hosting clients.

We’re still tweaking elements here and there and re-writing some content, but the bulk of the new site is now live. I invite you to browse around, and provide any feedback (both good and bad) on our new look.

photo credit