We have begun tracking the Heartbleed Bug across the Internet, and wanted to update you with information to help you minimize the impact on your conversion rate and your sales.
The Heartbleed bug is a major setback for ecommerce sites, online services, and subscription sites, even if your site is not affected by the bug.
Heartbleed is an error in an encryption library used by many companies. This library, called Open SSL, is used to encrypt information such as your username and password between your browser and your servers so others can’t listen in. Because of the Heartbleed bug, others have probably been listening.
Visitor Trust Has Been Shaken
Basically, any site that has a login could be using this buggy Open SSL library to encrypt our login information.
It doesn’t matter if your site isn’t affected. The perception is that every site is affected.
Your visitors are now approaching your site with less trust.
Even if you aren’t affected by the Heartbleed bug, visitors will approach you with higher levels of trepidation.
You need to act.
Make it Easy to Change Passwords
Restoring trust to a person who is frustrated by the amount of work this bug has created for them is critical. If you take it seriously, you can gain trust faster than competing sites.
As we speak, your visitors are deleting their memorized passwords and cookies. They are going to come to your site as a stranger.
They may have forgotten their passwords. This is OK, as it is recommended that we all change all of our passwords. Nonetheless, you should make it easy for visitors to recover and change their password.
Your forgotten password functionality should contain a few important features.
- Your new password feature must be working. Test it.
- The verification email must come quickly, even immediately.
- Do you use a complicated Captcha function on the form that takes their new password? Eliminate Captchas or keep it simple.
- Show the password as they type it. Technically, this is less secure. Someone can watch over their shoulder. However, this prevents errors that frustrate customers.
Make it easy for them to recover their account and change their password. That builds trust.
Announce That Visitors are Safe
Once you’re sure that your site is not vulnerable (either through a patch or because you don’t use the broken SSL libraries) you need to make it clear to your visitors that this is the case.
Again: even if your site never suffered from the bug, you need to let visitors know that their info is safe.
The Heartbleed logo is going to become well known among those who are concerned. In the image at left, I’ve incorporated the logo into a “Heartbleed Safe” badge. The logo will draw the eye and the message is that they can buy from you and login without worry.
Clicking the badge should take the visitor to a page telling them how to change their password. You can also advise them to delete their cookies and passwords in their browser. This will make them safer, and make it harder for them to do business on your competitors’ sites, if the competition hasn’t read this column.
Give them the basics on Heartbleed. Some resource are given below.
Don’t Forget Email. Be sure the send an email to your subscribers or account holders. Link them to the resource page you created for the badge.
Announcements are or should soon be coming from host platforms such as InfusionSoft, Drupal, Joomla. We have announcements from Amazon and Yahoo that may apply to you. If you are on Shopify, people are talking about Heartbleed. If your code is on Github, you need to take action.
We’ll update this list as new resources come online.
UPDATE: We have confirmed that split testing tools Optimizely and Visual Website Optimizer have patched their systems. It is a good time to update you passwords with them.
There are several sites that allow users to check your site for the Heartbleed bug. These systems may not be 100% accurate and may finger your site incorrectly. Make sure your site is OK.
LastPass Heartbleed Checker
Filippo.io Heartbleed Checker