Heartbleed bug still a threat after flawed patches

Rush to patch Heartbleed bug causes sites to make dangerous errors

The majority of sites that attempted to protect themselves against Heartbleed have ended up no better for it, while some are actually more vulnerable than before.

Following Heartbleed's reveal on 7 April, sites scrambled to patch their OpenSSL installations and revoke their old certificates. Now, data from a study conducted by Netcraft shows that many sites haven't done enough to fully protect themselves from the bug.

Some 30,000 sites revoked their old certificates but did not replace their private keys, according to Netcraft. If these keys had been compromised it renders replacing the certificates moot: having the key allows a hacker to decrypt sensitive information and perform man-in the-middle attacks.

Just 14 per cent of sites conducted all three steps needed to properly secure their servers replacing their certificates, revoking the old ones and changing their private keys. More than half (57 per cent) of sites originally vulnerable to Heartbleed attack have not revoked or reissued their SSL certificates. A further 21 per cent have reissued their certificates but not revoked the originals that may have been compromised.

The 30,000 sites that revoked their certificates but not their private keys represent about five per cent of sites vulnerable to Heartbleed, says Netcraft. Worse, though, is the 20 per cent of servers vulnerable today that were not when the bug was uncovered. Their owners rushed to protect their systems and replaced their secure certificates with flawed ones, said Yngve Pettersen at Vivaldi.

"Media attention led concerned system administrators into believing their system was unsecure," wrote Petterson in a blog post.

"This, perhaps combined with administrative pressure and a need to do something', led them to upgrade an unaffected server to a newer, but still buggy version of the system," he added.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Lenovo and VMware collaborate on resilient edge computing
Network & Internet

Lenovo and VMware collaborate on resilient edge computing

7 Sep 2021
New malware plants backdoor on Microsoft web server software
cyber security

New malware plants backdoor on Microsoft web server software

9 Aug 2021
HPE warns of a critical zero-day flaw in server management software
zero-day exploit

HPE warns of a critical zero-day flaw in server management software

18 Dec 2020

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021