Heartbleed Update

Heartbleed logoThere’s good news, and bad news.

A bug called Heartbleed

When a Google engineer found Heartbleed this spring – the OpenSSL security bug that affected more than a million servers, many of which were among the “highly trusted” – panic ensued. The hysteria wasn’t helpful, but it was understandable:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users (source).

There was a flurry of headlines. Security experts and web users alike did what they could to mitigate the risks. Meanwhile, fuzz testing tool company Codenomicon gave the bug its own name and logo – and now, two months later, we thought it was time for an update.

So what’s new with the bug?

When Heartbleed made its debut, CEO of Errata Security (Atlanta, GA) Robert David Graham identified 600,000 affected servers to start with.

The good news is, it took only one month for that number to drop to 318,239.

The bad news is, it hasn’t dropped much since. Fewer than 10,000 of the remaining servers have been patched to block the bug, meaning the fix has plateaued with over 300,000 servers still bleeding.

A few precautions for the meantime

1. Be aware that with a problem this sprawling, countless websites will remain vulnerable for years to come. We can expect the big names to get fixed more quickly than the little ones – and as we just pointed out, even plenty of big names are not getting fixed fast.

2. Bookmark your Heartbleed checker of choice. Go to LastPass or 1Password and type in a URL to determine whether it’s bleeding or bandaged.

3. Who has access to your sensitive data? For each website you use, contact the webmaster to find out whether or not they’ve patched it. If they have, change your password.

4. Get a browser extension. For example, Chrome users can download the free app Chromebleed Checker, which runs in the background and notifies you if it thinks the site you’re using is vulnerable to Heartbleed. Similar tools should be available for any browser you’re using.

Leave a Reply