How Bad Reactions Complicated Problems With Heartbleed

Heartbleed logo on laptop

It’s been more than a month since news broke of the Heartbleed bug, which potentially compromised the security of millions of websites. In the immediate aftermath, users and website owners alike scrambled to fix the problem and restore security. Unfortunately, a rush to fix an issue that wasn’t fully understood may have further complicated matters for many websites. At Network World, Peter Sayer explains how thousands of sites made a bad situation worse in their attempts to patch vulnerabilities tied to the Heartbleed bug.

Heartbleed is a bug in OpenSSL that potentially can lead to compromised SSL certificates being issued, which would completely undermine the perceived security of a website. Ideally, after news of Heartbleed broke, website owners and those operating their servers should have carefully diagnosed whether or not their site and servers were at risk and act accordingly. In many cases, this happened and the vulnerability was patched and certificates revoked.

According to internet services company Netcraft, however, more than half of vulnerable sites have failed to revoke compromised security certificates and also haven’t reissued new certificates. Nearly a quarter of sites have reissued certificates, but haven’t revoked the compromised ones.

Meanwhile, 30-thousand vulnerable websites revoked certificates then reissued new ones. Unfortunately, they did so using the same private key that was compromised originally. This means that not only are these sites still vulnerable to a known attack, but they’re operating under the assumption that they, and their users, are secure.

Still more sites have seemingly taken no action whatsoever. They’ve continued to use the same private key with their certificates and haven’t revoked old certificates. While these sites are no better or worse off than they were before Heartbleed, at least they have no illusions about the state of their security.

By far the worst situation, however, is the roughly 20-percent of vulnerable servers that were initially immune from the Heartbleed vulnerability. Those servers had versions of OpenSSL that couldn’t be exploited by Heartbleed, but reacted to the breaking news like everyone else and replaced their safe versions with flawed versions.

In each of these cases, a failure to truly understand one’s own infrastructure and the threat at hand led to illogical decisions that either didn’t help improve the situation, or made it much worse.

At Geek Rescue, we offer managed services and other IT solutions to help your organization avoid these types of situations. To find out more, call us at 918-369-4335.

May 12th, 2014