Heartbleed bug still a threat after flawed patches
Rush to patch Heartbleed bug causes sites to make dangerous errors
The majority of sites that attempted to protect themselves against Heartbleed have ended up no better for it, while some are actually more vulnerable than before.
Following Heartbleed's reveal on 7 April, sites scrambled to patch their OpenSSL installations and revoke their old certificates. Now, data from a study conducted by Netcraft shows that many sites haven't done enough to fully protect themselves from the bug.
Some 30,000 sites revoked their old certificates but did not replace their private keys, according to Netcraft. If these keys had been compromised it renders replacing the certificates moot: having the key allows a hacker to decrypt sensitive information and perform man-in the-middle attacks.
Just 14 per cent of sites conducted all three steps needed to properly secure their servers replacing their certificates, revoking the old ones and changing their private keys. More than half (57 per cent) of sites originally vulnerable to Heartbleed attack have not revoked or reissued their SSL certificates. A further 21 per cent have reissued their certificates but not revoked the originals that may have been compromised.
The 30,000 sites that revoked their certificates but not their private keys represent about five per cent of sites vulnerable to Heartbleed, says Netcraft. Worse, though, is the 20 per cent of servers vulnerable today that were not when the bug was uncovered. Their owners rushed to protect their systems and replaced their secure certificates with flawed ones, said Yngve Pettersen at Vivaldi.
"Media attention led concerned system administrators into believing their system was unsecure," wrote Petterson in a blog post.
"This, perhaps combined with administrative pressure and a need to do something', led them to upgrade an unaffected server to a newer, but still buggy version of the system," he added.
2021 Thales cloud security study
The challenges of cloud data protection and access management in a hybrid and multi cloud worldFree download
IDC agility assessment
The competitive advantage in adaptabilityFree Download
Digital transformation insights from CIOs for CIOs
Transformation pilotes, co-pilots, and engineersFree download
What ITDMs did next - and what they should be doing now
Enable continued collaboration and communication for hybrid workers