Heartbleed is not dead. And isn’t likely to be any time soon

Graham Cluley

Heartbleed is not dead

Heartbleed is not dead. And isn't likely to be any time soon

It’s almost three years since the Heartbleed vulnerability gave sysadmins palpitations, potentially leaking millions of passwords and exposing private SSL keys from vulnerable web servers.

By September 2015, I hoped that the situation would have improved. After all, system administrators had had plenty of time to apply OpenSSL patches and secure their systems. However, that hope was forlorn – over 200,000 devices were found to be still vulnerable.

So what now?

John Matherly, founder of Shodan, revealed the current sorry state of affairs via a tweet announcing their report on Heartbleed’s continued existence:

Here’s my prediction. In a year’s time, we won’t see any significant reduction in the number of Heartbleed vulnerable websites and devices connected to the internet.

This is as good as it’s going to get. The people who cared about fixing their systems against the Heartbleed vulnerability did it long ago.

The others simply don’t give a damn.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Heartbleed is not dead. And isn’t likely to be any time soon”

  1. It could be worse than that.

    To determine what version of OpenSSL is in use, you do

    curl –head http://localhost/ (or whichever URL you're testing).

    The response you get will incvlude something like:

    Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8g

    Version 0.9.8g is, of course, vulnerable to the Heartbleed vul. You fix it by updating your OpenSSL, recompiling Apache and restarting Apache. Which, I have to add, is a bit of a pain in the arse if you have to do it each month.

    But if you don't want people to know which version of Apache and OpenSSL you're running (which seems like a sensible thing to do, why give out information that could help an attacker?) you set ServerTokens to reduce the info that you're giving out.

    So for servers who have this set to anything other that "Full", you don't know the version of OpenSSL. Which means that they'll pass the DSS PCI even if they're vulnerable to heartbleed.

    And no-one will know.

    1. I know and it's a real problem.

      PCI DSS is strict compared to other countries standards but when you think about how old some banks TLS certificates are (and they pass PCI DSS) you begin to realise that the Payment Card Industry are paying lip service to security.

      1. 80% of merchants fail PCI DSS compliance.

        http://securityaffairs.co/wordpress/34768/security/80-percent-failure-pci-dss.html

        PCI DSS is a fine example of security theatre.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES