Heartbleed has spent nearly two weeks in the public eye, and the Internet is still in something of a race to stop the bleeding.
Heartbleed initially affected close to 20 percent of web servers. Any servers running particular versions of openSSL were at risk.
But since the news broke, that hole is mostly patched up. Security firm Sucuri tested Alexa’s top million web pages.
The 1,000 most visited sites on the Internet are safely patched from Heartbleed. Only about half a percent of the top 10,000 are vulnerable; that proportion increases to two percent for the top million sites.
The Internet also appears to be working quickly to mitigate one of Heartbleed’s nastier tricks, through which attackers could steal private SSL keys and impersonate entire websites. (Via SecurityWeek)
The only surefire way for at-risk sites to protect against such an attack is to get their SSL certificates revoked and reissued. A lot of sites are taking this important step — but staying safe is putting a significant load on web services and data budgets.
Certificate authorities assign these new certificates — and also keep a list of the bad, now-revoked certificates called a Certificate Revocation List, or CRL. Your Internet browser references the CRL whenever it opens a website, to make sure the page can be trusted.
For example: certificate authority Globalsign’s CRL is now huge, thanks to all the Heartbleed revocations. It used to be 22 kilobytes; now it’s 4.7 megabytes.
All the browsers downloading new CRLs have caused a spike in Internet traffic. Cloudflare puts it at 40 gigabytes a second. This kind of load could cost hosts like Globalsign hundreds of thousands of dollars in bandwidth — and that’s if their servers are even able to hold up. "Revoking SSL certificates threatens to create a sort of denial of service attack on their own infrastructures."
Still, it could be a necessary cost, given the constant new and dangerous things attackers are showing they can do with Heartbleed.
This week security firm Mandiant reported a successful malicious attack on one of its clients, in which someone used Heartbleed to slice into a corporation’s openSSL-based virtual private network and impersonate legitimate users.
"The attack bypassed both the organization’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software." (Via Mandiant)
Mandiant didn’t say if the attacker stole any information, but the fact someone got waved through security so easily is disconcerting enough to industry watchers.
Ars Technica explains anything running vulnerable versions of openSSL should be considered at risk.
"OpenSSL is so deeply entrenched in Web, e-mail, networking, and end-user software and firmware that there's no telling how many different ways blackhats can exploit it against otherwise secure networks." (Via Ars Technica)
The best defense for us web users is vigilance: you should change passwords on any sites that got hit by Heartbleed, but only once they’ve updated their own security.