It’s almost three years since the Heartbleed vulnerability gave sysadmins palpitations, potentially leaking millions of passwords and exposing private SSL keys from vulnerable web servers.
By September 2015, I hoped that the situation would have improved. After all, system administrators had had plenty of time to apply OpenSSL patches and secure their systems. However, that hope was forlorn – over 200,000 devices were found to be still vulnerable.
So what now?
John Matherly, founder of Shodan, revealed the current sorry state of affairs via a tweet announcing their report on Heartbleed’s continued existence:
Nearly 3 years later and we're still looking at ~200,000 services vulnerable to Heartbleed: https://t.co/KU04PtWTJU pic.twitter.com/6mZhCUCVu6
— John Matherly (@achillean) January 22, 2017
Here’s my prediction. In a year’s time, we won’t see any significant reduction in the number of Heartbleed vulnerable websites and devices connected to the internet.
This is as good as it’s going to get. The people who cared about fixing their systems against the Heartbleed vulnerability did it long ago.
The others simply don’t give a damn.
It could be worse than that.
To determine what version of OpenSSL is in use, you do
curl –head http://localhost/ (or whichever URL you're testing).
The response you get will incvlude something like:
Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8g
Version 0.9.8g is, of course, vulnerable to the Heartbleed vul. You fix it by updating your OpenSSL, recompiling Apache and restarting Apache. Which, I have to add, is a bit of a pain in the arse if you have to do it each month.
But if you don't want people to know which version of Apache and OpenSSL you're running (which seems like a sensible thing to do, why give out information that could help an attacker?) you set ServerTokens to reduce the info that you're giving out.
So for servers who have this set to anything other that "Full", you don't know the version of OpenSSL. Which means that they'll pass the DSS PCI even if they're vulnerable to heartbleed.
And no-one will know.
I know and it's a real problem.
PCI DSS is strict compared to other countries standards but when you think about how old some banks TLS certificates are (and they pass PCI DSS) you begin to realise that the Payment Card Industry are paying lip service to security.
80% of merchants fail PCI DSS compliance.
http://securityaffairs.co/wordpress/34768/security/80-percent-failure-pci-dss.html
PCI DSS is a fine example of security theatre.