The OpenSSL security flaw known as Heartbleed has been one of the most chilling news stories in the tech world over the last few months and it’s not surprising considering an estimated two-thirds of the world’s servers are reliant on the OpenSSL platform to operate. Now even though things have died down a little and the bug seems to be in the past, the truth is that Heartbleed is still as much of a concern as it was a couple of months ago.
Robert Graham, a security researcher and blogger on Errata Security has discovered that over 300,000 servers are still open to attack – that’s still half of those originally discovered when the bug was exposed by one of Google’s engineers. The search into how many servers are still open is easy conducted by scanning the internet on port 443 and seeing how many servers respond to the scan. Those that do not respond have been patched, but port 443 is only one of the ports affected.
When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven’t check other ports.
Of the originally estimated 600,000 servers that were vulnerable, the 300k that have attended to the flaw are predominantly the major names around the world so this means that the huge number of servers that are still open, and may continue to be for a number of years, belong to much smaller sites that either don’t know about the problem, or simply don’t care.
How long Heartbleed will continue to be a threat to security is an unknown entity. Until each and every single server around the world has been patched or replaced as part of routing upgrades, it is impossible to state when the bug will be extinct. All I can urge server owners to do is to check that they have their systems patched and secure. It is not just the integrity of your business that could be at stake, but also the personal information of anyone that uses your server.
Source: The Verge