Heartbleed Still a Threat to Hundreds of Thousands of Servers
Unpatched sites and improperly issued SSL certificates could be leaving users vulnerable.A month after the Heartbleed OpenSSL security vulnerability was first publicly disclosed, there are strong indications that there are still a whole lot of vulnerable users. Technically, the Heartbleed flaw is identified as CVE-2014-0160 and called "TLS heartbeat read overrun." It is found within the open-source OpenSSL cryptographic library, which provides Secure Sockets Layer (SSL) encryption capabilities for data in transit. The OpenSSL project first released its own patch for the Heartbleed flaw on April 7, but that hasn't meant that everyone in the world has actually updated. OpenSSL is widely deployed in servers and embedded devices including Android phones. To actually protect users from Heartbleed, there are multiple steps that need to be taken. For both servers and end-user devices, an updated OpenSSL package needs to be installed. On the server side, SSL certificates need to be regenerated and end users need to reset their passwords. Security researcher Robert Graham noted in a blog post on May 8 that he scanned the Internet to find systems still vulnerable to Heartbleed and found 318,239 systems still at risk.
That's not the whole story on the Heartbleed risk though. In addition to patching OpenSSL, server administrators also need to regenerate SSL certificates. But as it turns out, though many SSL certificates have been reissued, they weren't all reissued correctly.