Last updated: 16 May 2016
It’s been over a year since Heartbleed was uncovered, a vulnerability in OpenSSL (versions 1.0.1-1.0.1f, 1.0.2-beta and 1.0.2-beta1) which can enable encryption keys, and therefore usernames, passwords and other information, to be revealed. OpenSSL, for the record, is in use across millions of web sites — it’s the ’S’ in HTTPS — as well as devices from firewalls to IP phones.
Security professionals have occasionally been accused of hype-ing up security issues but on this occasion the attention was merited. As Bruce Schneier said at the time, “’Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” XKCD provides a good explanation of what the buffer overrun does, for the lay person.
Why is Heartbleed so serious? It results in the worst of both worlds —not only does it mean the encryption might as well not be there, but it is also straightforward to test. It’s like having a broken lock on the front door, then having a sign up saying the lock is broken.
While this time last year half a million sites were left vulnerable, it’s also over a year since those good people at OpenSSL provided a simple-to-implement fix. That would be the end of it you’d think, but the not so good news is, there’s still a staggering number of sites which haven’t done so.
How do we know this? Anyone can find out using a Google dork – that is, a search string which uncovers security weaknesses in web-accessible files (as described by the FBI). As it stands, a query on the above OpenSSL extensions currently returns 27,400 results.
There’s also a test or two you can run to find out if your site is still vulnerable. If it is, you should both make sure the system is patched and also change passwords and revoking/replacing SSL certificates as appropriate. The advice offered by Ed Felten April last year remains valid, both for site owners and security-conscious punters.
The point is however, that a major, major exploit remains unpatched for absolutely no reason other than ignorance, idleness and a lack of priority. Hosting providers in particular (and we know of at least one) have no excuses whatsoever but to get their servers in order as quickly as possible.
In case you missed it, read Steve Helm’s blog post from 2014 on the Heartbleed vulnerability to learn why this bug reinforces the importance of strong cryptographic key storage and management.