Heartbleed a Year Later: How the Security Conversation Changed

By Sean Michael Kerner  |  Posted 2015-04-07 Print this article Print
Heartbleed SSL/TLS security flaw

Even with 12 months of time, there is still Heartbleed risk today.  In a new report, security vendor Venafi claims that 74 percent of the Global 2000 are still at risk from Heartbleed. Venafi's numbers, however, are not just about servers being updated with the latest OpenSSL milestone, but also about replacing SSL/TLS certificates.

Venafi issued a similar report in July 2014.  Security experts contacted by eWEEK at the time contested Venafi's analysis.

Dmitri Alperovitch, CTO and co-founder at Crowdstrike, said that while replacing SSL certificates is certainly recommended, not replacing the certificates doesn't necessarily mean organizations are still vulnerable to Heartbleed.

"It's akin to saying that even though you've had heart bypass surgery to mitigate a clot in an artery, you are still in immediate danger of having a heart attack because you haven't stopped eating fatty and unhealthy foods," Alperovitch said at the time.

While Venafi claims that the majority of sites it surveyed are still at risk from Heartbleed, the Qualys-sponsored SSL Pulse site currently reports that only 0.3 percent of sites are currently at risk from Heartbleed.

A year after Heartbleed first made headlines, it is still an issue, because old vulnerabilities never truly die. The simple reality of Heartbleed's risk today is the same as that of any other known vulnerability for which an organization has not yet patched. Hewlett-Packard's 2015 Cyber Risk report found that 44 percent of breaches could be attributed to patched vulnerabilities that are between two and four years old. Simply put, patching is hard, but when it comes to big issues like Heartbleed, organizations have, in fact, done a lot of patching.

Heartbleed was not the worst vulnerability in history, but it was noteworthy because of the hype and hysteria that it created. It triggered a global update of OpenSSL servers, desktops and mobile apps around the world and it did leave most of the world's Internet population at risk of exploitation for a period of time.

In the year since Heartbleed, there is more scrutiny than ever on OpenSSL and critical infrastructure overall, and that's a good thing.  Ignorance is not bliss and it's not security, either. Only by remaining vigilant can security ever be attained.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.



Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel