It’s been over a month since the world was alerted to the Heartbleed bug, but that doesn’t mean we should have forgotten about it. Quite the opposite in fact, because 300,000 servers apparently remain affected by the security hole.
A new scan of the internet — or at least the important bits: port 443 of IPv4 addresses — by Robert Graham at security researchers Errata reveals that 318,239 systems are still vulnerable to the OpenSSL. That’s admittedly down from over 600,000 a month ago, but clearly there’s still a long way to go. Graham explains what he found:
The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million. I suspect the reason is that this time, people detected my Heartbleed “attacks” and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers. (I really need to do a better job detecting that).
Last month, I found 1-million systems supporting the “heartbeat” feature (with one third patched). This time, I found 1.5-million systems supporting the “heartbeat” feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.
There’s lots of good news in that report then. But if it reminds us of one thing, it should be that, just because something happened a month ago, it doesn’t mean that we can forget about its continued implications. Hopefully Heartbleed stop being a thing real soon. [Errata]