Heartbleed Patches Still Coming Slowly
April 21, 2014

Many Sites Patched For Heartbleed, Others Coming Slowly

Peter Suciu for redOrbit.com – Your Universe Online

The Internet has an apparent “illness” and Open Source Heartbleed surgery is its best option. So far the prognosis is good, but recovery could take time. According to reports early this week, the world’s top 1,000 websites have been patched up against the “Heartbleed” exploit and are good to go.

However, as reported by Computerworld on Monday, California-based security firm Menifee estimates that as many as two percent of the top million sites were still vulnerable as of late last week.

Information security company Sucuri inspected some of the one million most popular Alexa-ranked websites and found that while most are fixed, some 20,320 remain vulnerable. While it is a small number, knowing exactly which sites pose a danger is nearly impossible for users.

“We were glad to see that the top 1,000 sites in the world were all properly patched and that just 0.53 percent of the top 10,000 still had issues,” Sucuri chief technology officer Daniel Cid wrote in a blog post as reported by VentureBeat over the weekend. “However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2 percent. That is not surprising, but we expected better.”

Heartbleed is the nickname for a flaw in OpenSSL, an open source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. It isn’t technically a virus, but rather a flaw that could be exploited to capture usernames, passwords and, most worrisome of all, encryption keys used by site servers. It was reportedly introduced in OpenSSL in late 2011.

Heartbleed was discovered independently this month by researchers from the security firm Codenomicon, which launched the Heartbleed.com website to explain how it works and operates; as well as by Google security engineer Neel Mehta. After being discovered the OpenSSL project rushed out a patch on April 7.

What makes Heartbleed an ongoing problem is that while it is a flaw that apparently can be easily patched, as noted, many sites have failed to do so, and this leaves Internet users vulnerable in a “virtual minefield.” The Heartbleed bug allows hackers to retrieve data without leaving a trace. While companies have been patching sites, there is no way to know if a site has been affected and, moreover, it is impossible for companies to even know if anything was stolen.

While this will be a headache for many people, it could also potentially signal the beginning of the end for open source.

“OpenSSL is an open source project, meaning its original source code is freely available for developers to use and modify,” Damien Choizit, a solutions engineer at software analysis and measurement company CAST, wrote in an op-ed for the Telegraph on Monday. “This brings plenty of benefits – a wider pool of talent creating and enhancing code which is available for free – but also negatives – while many might be involved in the development of the code, very few are [scrutinizing] it for flaws.”

“There was common consensus that, because the OpenSSL code had been reviewed so many times, it must be secure,” Choizit added. “In reality, however, it was during one of these review cycles that the Heartbleed bug was introduced.”

While Choizit suggested that the answer is not to stop using open source code, he did add that many high profile companies such as Google, Facebook and Amazon – which all rely on open source projects – should take greater responsibility to ensure that the code is both checked and measured.

“Those who benefit most from the gift of the web should also serve as guardians, making sure it can be used safely for mutual benefit,” Choizit pondered.