A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
In case you haven't heard, bad news in Internet security land:
A very large number of secure websites are affected, and software that uses OpenSSL internally for TLS might be too.
So we, as many others, hurried and updated our software to the fixed version. How loudly should we trumpet that?
1. It advertises that previous versions have the vulnerability (not our fault), so might make hackers look for installations of our software online?
2. We've made the fix in the latest version. REALLY don't want to go back and patch ancient versions.
2a. If customers have a current support contract, they can get the latest version. If they don't, do they deserve a free upgrade?
Interested to hear how others are dealing with this situation in particular, and generally.
>> "1. It advertises that previous versions have the vulnerability (not our fault), so might make hackers look for installations of our software online?"
The cat's already out of the bag, Doug. Hackers already have automated tools to scan for vulnerable sites. You're doing your customers a disservice if you don't trumpet it loudly & immediately.
Wednesday, April 09, 2014
I didn't really answer your other questions:
>> "2a. If customers have a current support contract, they can get the latest version. If they don't, do they deserve a free upgrade?"
No. But is the HTTPS server separate from your actual product? That is, are you bundling an existing server like Apache or NGINX in your product? If so, you can give them instructions on how to update those parts of your product if they don't want to buy the latest version of your app.
Of course, it's entirely up to you, but I wouldn't recommend free updates.
>> "Interested to hear how others are dealing with this situation in particular, and generally."
A majority of our customers are on our hosted version of our software, and by good luck we hadn't yet gotten around to upgrading to the 1.0.1 branch of OpenSSL (we were still on 1.0.0x).
However for customers using our self-hosted version of LimeLM, some customers were using the 1.0.1 branch, and thus were vulnerable. So for these customers we notified them immediately, gave them upgrade instructions, and offered our time for free to help them upgrade.
Of course, our product is decoupled. In other words, we don't bundle the HTTP/HTTPS server with our self-hosted LimeLM. We just let customers choose the server they want. So even previous customers can get the latest OpenSSL fixes without being required to buy our latest self-hosted LimeLM version.
From what it sounds like your product isn't like that.
Thursday, April 10, 2014
Yes, OpenSSL backwards compatibility is a major fuckup between Linux distributions but if you're doing it on Windows, it works most of the time.
You may get away with just recompiling that particular version of OpenSSL with -DNO_HEARTBLEED and put it on your website as an unsupported download.
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz