Four weeks later, HeartBleed lives on

Last month, a new security flaw came to light known as HeartBleed. HeartBleed is a flaw in a widely used cryptography package, and was found to affect around 600,000 servers worldwide. It could be used to acquire passwords, login info, and even encryption data. According to Ars Technica, two recent estimates show that it is still prevalent today.

As of a little more than four weeks ago, a scan performed by the CEO of Errata Security, Rob Graham had found that about 615,268 were vulnerable to this attack, and on Thursday, another scan showed a little more than half the previous amount were affected; about 318,239 servers which still run the OpenSSL crypto library that enables the "Heartbeat" feature where the flaw lies encased in the code. Although a separate scan was performed with somewhat varied techniques, which suggested that slightly less than half of the servers believed to be affected still remain subject to exploitation. The tool which had been used was named the TLS Prober by a researcher known as Yngve. Using this tool, he found that 5.36% of all servers were affected by HeartBleed as of April 11, only a few days after the exploit had been disclosed. In his latest blog post, he claimed that 2.33% of servers are still affected today. Although this number does not include servers which provide a VPN or email service.

Yngve had also stated that the number of servers using vulnerable encryption accelerators manufactured by F5 had not changed by much, and that the reason may be due to new F5 BigIP systems coming up that are still vulnerable to the HeartBleed attack. The researcher stated that "As BigIP servers are used by sites serving large number[s] of users, this represents a significant security problem for those users." He added that out of the sites that have been patched in the past month, an estimated two-thirds of websites may not have revoked their old certificates to create updated versions. Ars Technica had stated that updating OpenSSL software is only the first step to closing the HeartBleed security flaw.

Source: Vivaldi via Ars Technica | Image via Bitelia

Report a problem with article
Previous Story

The Sims 4 rated Adults Only in Russia because of "same-sex relationships"

Next Story

Nintendo apologizes for excluding same-sex relationships from Tomodachi Life

31 Comments

Commenting is disabled on this article.

Someone should make an open source Heartbleed exploit tool that I can double click and have money go into my open source bitcoin account.

So that whole "change your passwords" thing was just a bunch of BS then? What good does that do when the problem isn't being fixed?

the changing of password is good advice but only if the flaw has been fixed first before you change the password. so if the site you are accessing still has the heartbleed flaw you are best off not using the site at all (like don't even visit it) until it's fixed.

ThaCrip said,
the changing of password is good advice but only if the flaw has been fixed first before you change the password. so if the site you are accessing still has the heartbleed flaw you are best off not using the site at all (like don't even visit it) until it's fixed.

Sadly for us non-technical people (basically the majority I would say) there doesn't seem to be a way of knowing what websites to avoid until they fix it - or maybe I should say, if they fix it. In my local media there was one article when it was discovered, can't even remember if there was a clause "good to change your passwords - hope you folks know how to (and hope you don't have only one password for every single login you use, even though we've never clearly stated why you need multiple passwords for multiple pages!" and sadly nothing has been covered about it in the mainstream media since.

Heck, a follow up piece would be nice - with a list of what websites to avoid

Tigurinn said,

Sadly for us non-technical people (basically the majority I would say) there doesn't seem to be a way of knowing what websites to avoid until they fix it - or maybe I should say, if they fix it. In my local media there was one article when it was discovered, can't even remember if there was a clause "good to change your passwords - hope you folks know how to (and hope you don't have only one password for every single login you use, even though we've never clearly stated why you need multiple passwords for multiple pages!" and sadly nothing has been covered about it in the mainstream media since.

Heck, a follow up piece would be nice - with a list of what websites to avoid

Oh come on, quit that BS. As if there was not tons of information pouring out of every media outlet during the weeks after this bug was announced to the public. Not only did the media cover it existed, nearly everyone was posting links to various tools to check websites you visit, websites known to have been un/patched and steps you should take.

If you didn't know then you weren't listening or didn't care to know. However, I'll still link you to resources regardless.

https://filippo.io/Heartbleed/
http://watchtower.agilebits.com/
https://lastpass.com/heartbleed/
https://zmap.io/heartbleed/
https://www.ssllabs.com/ssltest/
http://mashable.com/2014/04/09...leed-bug-websites-affected/

Heck, a follow up piece would be nice - with a list of what websites to avoid

Well in general most fairly known or well known sites should be safe as it's probably the more obscure sites (that use SSL) that might have a problem.

Advent said,

Oh come on, quit that BS. As if there was not tons of information pouring out of every media outlet during the weeks after this bug was announced to the public. Not only did the media cover it existed, nearly everyone was posting links to various tools to check websites you visit, websites known to have been un/patched and steps you should take.

If you didn't know then you weren't listening or didn't care to know. However, I'll still link you to resources regardless.

https://filippo.io/Heartbleed/
http://watchtower.agilebits.com/
https://lastpass.com/heartbleed/
https://zmap.io/heartbleed/
https://www.ssllabs.com/ssltest/
http://mashable.com/2014/04/09...leed-bug-websites-affected/

I've heard of Mashable and I use LastPass - but never visit that site. Heck, I'm not an it guy and the only tech sites I visit is this one and MacRumors; and thus I'm basing my opinion on my local (nota bene local, both printed newspapers and news websites here, and those don't end in .com) media, that covered it barely for one day. And I'm not in the USA nor UK

Tigurinn said,

I've heard of Mashable and I use LastPass - but never visit that site. Heck, I'm not an it guy and the only tech sites I visit is this one and MacRumors; and thus I'm basing my opinion on my local (nota bene local, both printed newspapers and news websites here, and those don't end in .com) media, that covered it barely for one day. And I'm not in the USA nor UK

For everything I said and linked I googled "heartbleed". You don't have an excuse for not knowing just because the sources you watch/read didn't say much about it. No one deserves to hand feed you news.

So you want mom and pops with no interest in technology to google "heartbleed" ...ookkkaaiiii-doookkkeeeyy. Sheesh; I'm done here

Tigurinn said,
So you want mom and pops with no interest in technology to google "heartbleed" ...ookkkaaiiii-doookkkeeeyy. Sheesh; I'm done here

Yes? I want people to stop being lazy and learn to do something on their own; age isn't even a factor here so why bring it up? But, either way you're arguments are moot. Big media sites did follow ups, they covered heartbleed throughout the entire week and gave tons of information for people who aren't computer literate. If YOUR news source didn't, that's their problem. Take it up with those journalists or take it a step further and stop reading crappy news sources.

People see this is as a way to bash open source, but it was actually patched the next day, and no one bashes closed source programs when they have vulnerabilities.

mastercoms said,
no one bashes closed source programs when they have vulnerabilities.

Seriously? People here are quick on the trigger to bash vulnerabilities in other operating systems, quote the mantra of how their software is always updated as soon as a vulnerability is found instead of waiting for Corporation X to push a patch, etc etc.

Max Norris said,

Seriously? People here are quick on the trigger to bash vulnerabilities in other operating systems, quote the mantra of how their software is always updated as soon as a vulnerability is found instead of waiting for Corporation X to push a patch, etc etc.

They don't criticize it being closed source though.

mastercoms said,
They don't criticize it being closed source though.

Sure, there's a few individuals here who have nothing to say except the same rhetoric over and over about how bad it is to use proprietary software and pretend nothing ever goes wrong on the flip side of the coin. Comes up rather frequently actually. Not that I'm on either side mind you.. I pick what works regardless of its license, I don't have any inane agendas, I have bills to pay not an ideology to uphold.

Max Norris said,

Sure, there's a few individuals here who have nothing to say except the same rhetoric over and over about how bad it is to use proprietary software and pretend nothing ever goes wrong on the flip side of the coin. Comes up rather frequently actually. Not that I'm on either side mind you.. I pick what works regardless of its license, I don't have any inane agendas, I have bills to pay not an ideology to uphold.

I agree, although I don't prefer either one, and I just pick whichever is better, I feel like people should stop hating on FOSS just because it's FOSS. Licensing doesn't matter, the quality matters, and of course all software will have a vulnerability like this, since it's coded by humans.

Roger H. said,
I blame lazy admins. No excuse for that many to still be affected!

Agreed. Goes to show that half of *Nix admins aren't worth their salaries.

Yes, I mean closed source products never suffer catastrophic security flaws, like blaster, sasser, and the Vista cursor flaw, hmm?

Dot Matrix said,
Open source FTL!
That must be why Microsoft has been increasingly open-sourcing their software for the past several years, with Roslyn now under Apache license and the creation the .Net Foundation at Build 2014 http://www.dotnetfoundation.org/news.aspx , both moves having received widespread acclaim from all Windows platforms and .Net developers...

Yeah, that must be because having your code out there and accepting community contributions is inherently bad for some reason.

Edited by Andre S., May 11 2014, 2:43am :

CuddleVendor said,
You wouldn't be writing here without open source.

Nice trolling though, albeit a little too obvious.


No offense but the graphical WWW originated from IE's direct predecessor.