Heartbleed bug still a threat after flawed patches

Rush to patch Heartbleed bug causes sites to make dangerous errors

The majority of sites that attempted to protect themselves against Heartbleed have ended up no better for it, while some are actually more vulnerable than before.

Following Heartbleed's reveal on 7 April, sites scrambled to patch their OpenSSL installations and revoke their old certificates. Now, data from a study conducted by Netcraft shows that many sites haven't done enough to fully protect themselves from the bug.

Some 30,000 sites revoked their old certificates but did not replace their private keys, according to Netcraft. If these keys had been compromised it renders replacing the certificates moot: having the key allows a hacker to decrypt sensitive information and perform man-in the-middle attacks.

Just 14 per cent of sites conducted all three steps needed to properly secure their servers replacing their certificates, revoking the old ones and changing their private keys. More than half (57 per cent) of sites originally vulnerable to Heartbleed attack have not revoked or reissued their SSL certificates. A further 21 per cent have reissued their certificates but not revoked the originals that may have been compromised.

The 30,000 sites that revoked their certificates but not their private keys represent about five per cent of sites vulnerable to Heartbleed, says Netcraft. Worse, though, is the 20 per cent of servers vulnerable today that were not when the bug was uncovered. Their owners rushed to protect their systems and replaced their secure certificates with flawed ones, said Yngve Pettersen at Vivaldi.

"Media attention led concerned system administrators into believing their system was unsecure," wrote Petterson in a blog post.

"This, perhaps combined with administrative pressure and a need to do something', led them to upgrade an unaffected server to a newer, but still buggy version of the system," he added.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

The best deals on web hosting this Black Friday
web hosting

The best deals on web hosting this Black Friday

26 Nov 2021
Mitre reveals ten worst hardware security weaknesses in 2021
Hardware

Mitre reveals ten worst hardware security weaknesses in 2021

3 Nov 2021
Lenovo and VMware collaborate on resilient edge computing
Network & Internet

Lenovo and VMware collaborate on resilient edge computing

7 Sep 2021
New malware plants backdoor on Microsoft web server software
cyber security

New malware plants backdoor on Microsoft web server software

9 Aug 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021