Many apparently “secure” websites remain vulnerable to the Heartbleed OpenSSL flaw a month on from it being widely reported and a patch being offered.
According to netcraft, although many secure websites reacted promptly to the bug by replacing their SSL certificates and revoking the old certificates, some made the critical mistake of reusing the potentially-compromised private key in the new certificate.
It determined that more than 30,000 affected certificates have been revoked and reissued without changing the private key and by reusing the same private key, a site that was affected by the Heartbleed bug still faces exactly the same risks as those who had not yet replaced their SSL certificates.
Commenting, TK Keanini, CTO of Lancope, said: “There are two critical changes that need to take place: the first is that a website using the vulnerable version of OpenSSL must replace this library and recompile the server; in addition they need to replace the key pairs both private and public for all website that were hosted on the vulnerable service.
“Some folks either don’t have the technical abilities to perform this type of maintenance and for those folks we ask that they find a hosting facility that can help them maintain security levels sufficient for being on the internet.”
In a separate analysis, Robert Graham at research firm Errata Security found that 318,239 of 600,000 previously vulnerable systems remained vulnerable.
“Last month, I found one million systems supporting the ‘heartbeat’ feature (with one third patched). This time, I found 1.5 million systems supporting the ‘heartbeat’ feature, with all but the 300,000+ patched ,” Graham said.
“This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.”
Russ Spitler, vice president of product strategy at AlienVault, said: “This is really unfortunate news, though I suppose not terribly surprising. Heartbleed has been a really amazing event from a few different angles, the breadth of the exposure but also the speed and scope of the response.
“We have seen huge portions of the internet mobilised to react in a short amount of time which is largely unprecedented. However, we have a slightly different exposure than we have seen in the past. From a historical standpoint, most exposures of this scale were due to a single vendor’s operating system having an issue and the remediation was often as simple as applying a vendor supplied patch. Here, we have the same dynamic of a vendor supplied patch but the nature of the vulnerability requires additional steps to address the exposure – updating the certificates used in the vulnerable systems.
“It is amazing so many have taken this step, but the stat provided shows a failure of education. Those who understood the vulnerability were successful in convincing the world of its impact and the need to address it, but unfortunately those who understood completely failed at explaining what steps needed to be taken. Replacing the certificate without generating a new private key makes the effort completely wasted.
“It is not an issue of testing as the people who have done this just failed to understand why they were doing it, and those who instructed them to do it assumed that they were being clear enough. There was an education gap between the two and in that situation I blame the security experts not the people who tried to do the right thing. In this situation I would actually put the scrutiny on the certificate authorities, if a customer is resubmitting for a new certificate due to compromise but using the same private key the request should be rejected. This is not a problem of regulation but one of education.”