LightSpeed 3.9.6 and Heartbleed

LightSpeed sent out a notice to all of it’s users today about Heartbleed and how it affects them. Unfortunately, rather than provide answers, this email may have created more questions. Here’s what you need to know.

Did you get this email from LightSpeed today?

On April 7th, a vulnerability called Heartbleed was discovered in some versions of the popular OpenSSL software, which is used by a majority of the world’s web services to encrypt communication between the user and the service. Heartbleed allows a third party to potentially access private data from the server.

What is ‘Heartbleed’? What is ‘OpenSSL’? And why should you care?

Heartbleed is a vulnerability in the OpenSSL software. That means that it’s not a virus, it’s a bug that was already there and someone just figured out a way to exploit it.

Secure Socket Layer (SSL) is the technology used to encrypt data before it is sent over the internet. OpenSSL is the most popular implementation of the SSL technology. We use this on our Web Stores in order to safe-guard our customer’s credit card information when it is being sent to the bank for processing.

LightSpeed also uses SSL when it makes a connection between the client and the server. For example, if you have a computer in the back that acts as your ‘server’, and one at the front counter that acts as the ‘client’, the communication between them is encrypted using SSL.

This seems to be a bit overkill since it’s highly unlikely that a hacker would be able to get past the firewall in your internet router in the first place, let alone use this Heartbleed thing to listen in on the conversation between the front desk and the back office… and even if they did, what would they get?

LightSpeed doesn’t keep credit card data in it’s database but US stores that use the integrated credit card authorization feature do collect card data and transmit it using SSL to their merchant processor. For these customers, Heartbleed could be a problem.

Additionally, if you access your store over the internet from home, you are using SSL to encrypt the data as it goes over the internet. For you, Heartbleed could be a problem.

What does this mean to you?

If you’re using the integrated credit card processing in the US, or accessing LightSpeed remotely, you should upgrade to version 3.9.6 right away.

If you’re unsure on how to do this, call LightSpeed tech support… or book a session with me and I’ll take care of it for you.

LightSpeed 3.9.6

Luckily, in addition to getting some beefed up security, LightSpeed 3.9.6 also fixes a couple of nasty bugs… some of which were reported on this website earlier.

Anyone who jumped the gun and upgraded to LightSpeed 3.9.5 should download this upgrade right away.

Here are the official release notes for those with inquiring minds…

  • Fixed a case where users could not print owing invoices from StoreMaster
  • Improved French translations on receipts
  • Creating a matrix from a product with a photo no longer results in child products without GL accounts
  • Improved performance for Accounts Receivable on Date report
  • Updated OpenSSL library to address Heartbleed