Have we done enough to battle Heartbleed flaw?

A year on, security experts consider the response to the massive Heartbleed flaw in OpenSSL

Have companies done enough to fight the Heartbleed flaw? A year on, one report is saying 75 per cent of potential victims are still at risk - but others are casting doubt on that claim. 

Last year, a critical bug dubbed Heartbleed was found in OpenSSL, letting attackers snoop on data sent online - including everything from passwords to security certificates. The flaw was in the code, left unfixed for two years. 

A year on, certificate service Venafi TrustNet has claimed that three quarters of the top 2,000 companies in the world remain vulnerable to the flaw.

"Why have organisations still not completed full remediation?" its report asked. "Organisations have either given up on properly replacing keys and certificates, most likely not grasping the full risk exposure this creates, or do not have the knowledge to understand how to complete remediation."

Venafi said that many users are requesting new certificates, but using existing keys, when they should be demanding entirely new private keys.

"Enterprises must assume, just as they do with user IDs and passwords following an incident, that all keys and certificates are compromised, not just those that secured vulnerable Heartbleed systems," the report added. 

However, another security expert, Robert Graham of Errata Security, claimed the risk isn't as serious as Venafi suggests - and pointed out that the company stands to benefit from any panic around certificates, as it "sells a solution for that problem". 

"Only a small percentage of systems were vulnerable to Heartbleed in the first place, and it's hard to say which certificates actually needed to be replaced," explained Graham in a blog post

"The fact is this: most companies patched their systems before their certificates were stolen," he added. "For those who did get certificates stolen, it's unlikely that their servers can be breached with that information.

"Sure, some user accounts may get compromised by hackers doing man-in-the-middle at Starbucks, but the servers themselves are safe. Even if you did everything wrong updating your certificates, you probably aren't in danger. Sure, some of you are, but most of you aren't."

Open-source support

There's more to Heartbleed than simply updating certificates, noted AVG's CTO Yuval Ben-Itzhak. 

In a blog post, he said that it doesn't appear as though the web is a more secure place a year on from the discovery of the bug, or that we've learned many lessons from the massive web flaw. 

In particular, he called for more support for open-source projects, noting that many of us make use of OpenSSL, but few donate time or money to support it. 

"The OpenSSL Project does a great job finding and fixing vulnerabilities when they appear but in order to truly move the dial for Internet security, we need more investment," he said. "Right now, the hands of the world's online safety is in the hands of only a few coders working in small teams. That simply won't do."

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Russian spy chief rebuffs “pathetic” SolarWinds hack accusations
cyber attacks

Russian spy chief rebuffs “pathetic” SolarWinds hack accusations

18 May 2021
Data breaches increase by a third as staff continue to work from home
cyber security

Data breaches increase by a third as staff continue to work from home

17 May 2021
What is phishing?
phishing

What is phishing?

17 May 2021
Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021