Heartbleed bug still a threat after flawed patches
Rush to patch Heartbleed bug causes sites to make dangerous errors
The majority of sites that attempted to protect themselves against Heartbleed have ended up no better for it, while some are actually more vulnerable than before.
Following Heartbleed's reveal on 7 April, sites scrambled to patch their OpenSSL installations and revoke their old certificates. Now, data from a study conducted by Netcraft shows that many sites haven't done enough to fully protect themselves from the bug.
Some 30,000 sites revoked their old certificates but did not replace their private keys, according to Netcraft. If these keys had been compromised it renders replacing the certificates moot: having the key allows a hacker to decrypt sensitive information and perform man-in the-middle attacks.
Just 14 per cent of sites conducted all three steps needed to properly secure their servers replacing their certificates, revoking the old ones and changing their private keys. More than half (57 per cent) of sites originally vulnerable to Heartbleed attack have not revoked or reissued their SSL certificates. A further 21 per cent have reissued their certificates but not revoked the originals that may have been compromised.
The 30,000 sites that revoked their certificates but not their private keys represent about five per cent of sites vulnerable to Heartbleed, says Netcraft. Worse, though, is the 20 per cent of servers vulnerable today that were not when the bug was uncovered. Their owners rushed to protect their systems and replaced their secure certificates with flawed ones, said Yngve Pettersen at Vivaldi.
"Media attention led concerned system administrators into believing their system was unsecure," wrote Petterson in a blog post.
"This, perhaps combined with administrative pressure and a need to do something', led them to upgrade an unaffected server to a newer, but still buggy version of the system," he added.
The definitive guide to warehouse efficiency
Get your free guide to creating efficiencies in the warehouseFree download
The total economic impact™ of Datto
Cost savings and business benefits of using Datto Integrated SolutionsDownload now
Three-step guide to modern customer experience
Support the critical role CX plays in your businessFree download
The global state of the channelDownload now