Heartbleed is not dead. And isn’t likely to be any time soon

200,000+ vulnerable devices on the internet.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Heartbleed is not dead. And isn't likely to be any time soon

It’s almost three years since the Heartbleed vulnerability gave sysadmins palpitations, potentially leaking millions of passwords and exposing private SSL keys from vulnerable web servers.

By September 2015, I hoped that the situation would have improved. After all, system administrators had had plenty of time to apply OpenSSL patches and secure their systems. However, that hope was forlorn – over 200,000 devices were found to be still vulnerable.

So what now?

Sign up to our free newsletter.
Security news, advice, and tips.

John Matherly, founder of Shodan, revealed the current sorry state of affairs via a tweet announcing their report on Heartbleed’s continued existence:

Here’s my prediction. In a year’s time, we won’t see any significant reduction in the number of Heartbleed vulnerable websites and devices connected to the internet.

This is as good as it’s going to get. The people who cared about fixing their systems against the Heartbleed vulnerability did it long ago.

The others simply don’t give a damn.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Heartbleed is not dead. And isn’t likely to be any time soon”

  1. drsolly

    It could be worse than that.

    To determine what version of OpenSSL is in use, you do

    curl –head http://localhost/ (or whichever URL you're testing).

    The response you get will incvlude something like:

    Server: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8g

    Version 0.9.8g is, of course, vulnerable to the Heartbleed vul. You fix it by updating your OpenSSL, recompiling Apache and restarting Apache. Which, I have to add, is a bit of a pain in the arse if you have to do it each month.

    But if you don't want people to know which version of Apache and OpenSSL you're running (which seems like a sensible thing to do, why give out information that could help an attacker?) you set ServerTokens to reduce the info that you're giving out.

    So for servers who have this set to anything other that "Full", you don't know the version of OpenSSL. Which means that they'll pass the DSS PCI even if they're vulnerable to heartbleed.

    And no-one will know.

    1. Bob · in reply to drsolly

      I know and it's a real problem.

      PCI DSS is strict compared to other countries standards but when you think about how old some banks TLS certificates are (and they pass PCI DSS) you begin to realise that the Payment Card Industry are paying lip service to security.

      1. drsolly · in reply to Bob

        80% of merchants fail PCI DSS compliance.

        http://securityaffairs.co/wordpress/34768/security/80-percent-failure-pci-dss.html

        PCI DSS is a fine example of security theatre.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.