* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

OpenSSL Heartbleed - announce fix?

In case you haven't heard, bad news in Internet security land:

http://heartbleed.com/

A very large number of secure websites are affected, and software that uses OpenSSL internally for TLS might be too.

So we, as many others, hurried and updated our software to the fixed version.  How loudly should we trumpet that?

1. It advertises that previous versions have the vulnerability (not our fault), so might make hackers look for installations of our software online?

2. We've made the fix in the latest version.  REALLY don't want to go back and patch ancient versions.

2a. If customers have a current support contract, they can get the latest version.  If they don't, do they deserve a free upgrade?

Interested to hear how others are dealing with this situation in particular, and generally.
Doug Send private email
Wednesday, April 09, 2014
 
 
Wouldn't you just have been using OpenSSL DLLs anyway? Just tell unsupported users that the best way is to either pay for a current license or drop in a DLL.
Bring back anon Send private email
Wednesday, April 09, 2014
 
 
@Bring back anon

That's a great idea.  After some reading though, it appears different OpenSSL versions are not necessarily binary compatible, and usually require a recompile and relink.
Doug Send private email
Wednesday, April 09, 2014
 
 
>> "1. It advertises that previous versions have the vulnerability (not our fault), so might make hackers look for installations of our software online?"

The cat's already out of the bag, Doug. Hackers already have automated tools to scan for vulnerable sites. You're doing your customers a disservice if you don't trumpet it loudly & immediately.
Wyatt O'Day Send private email
Wednesday, April 09, 2014
 
 
I didn't really answer your other questions:


>> "2a. If customers have a current support contract, they can get the latest version.  If they don't, do they deserve a free upgrade?"

No. But is the HTTPS server separate from your actual product? That is, are you bundling an existing server like Apache or NGINX in your product? If so, you can give them instructions on how to update those parts of your product if they don't want to buy the latest version of your app.

Of course, it's entirely up to you, but I wouldn't recommend free updates.



>> "Interested to hear how others are dealing with this situation in particular, and generally."

A majority of our customers are on our hosted version of our software, and by good luck we hadn't yet gotten around to upgrading to the 1.0.1 branch of OpenSSL (we were still on 1.0.0x).

However for customers using our self-hosted version of LimeLM, some customers were using the 1.0.1 branch, and thus were vulnerable. So for these customers we notified them immediately, gave them upgrade instructions, and offered our time for free to help them upgrade.

Of course, our product is decoupled. In other words, we don't bundle the HTTP/HTTPS server with our self-hosted LimeLM. We just let customers choose the server they want. So even previous customers can get the latest OpenSSL fixes without being required to buy our latest self-hosted LimeLM version.


From what it sounds like your product isn't like that.
Wyatt O'Day Send private email
Thursday, April 10, 2014
 
 
Yes, OpenSSL backwards compatibility is a major fuckup between Linux distributions but if you're doing it on Windows, it works most of the time.

You may get away with just recompiling that particular version of OpenSSL with -DNO_HEARTBLEED and put it on your website as an unsupported download.
Bring back anon Send private email
Sunday, April 13, 2014
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz