PCMag reports that almost three months after the OpenSSL bug was discovered, 300,000 servers are still vulnerable to the Heartbleed bug. Errata Security found that a total of 309,197 servers are still vulnerable, down from about 600,000 when the vulnerability was announced. However, the data reveals that patch rates have significantly declined from the weeks after Heartbleed was initially publicized. Security researcher Robert Graham of Errata explains:
This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.
Errata found the vulnerable servers by scanning port 443 on servers, looking for vulnerabilities. ZDNet reports that only 9,042 new servers have been protected in the past month. That contrasts with the flurry of activity following the bug’s discovery; after the first month, only 318,239 servers of the 600,000 were still vulnerable. VentureBeat reported that within ten days of Heartbleed being publicized, the top 1,000 sites in the world were all properly patched to protect against the bug.
Initially discovered by a Google (NASDAQ:GOOG) (NASDAQ:GOOGL) engineer, Heartbleed leaves huge amounts of encrypted data open to hackers, who could use encryption keys to unlock usernames, passwords, other login details, and information that should be encrypted. Heartbleed’s impact is so wide because OpenSSL, an open source framework, is used by thousands of sites. Mashable reports that the OpenSSL bug sat dormant for two years before it was discovered.
Consumers received a flurry of emails and notifications following the initial reveal of the bug. Many were from sites that were aware of their vulnerability, implemented a patch, and asked users to reset their passwords or login information in case their data was compromised. Those were good emails to receive, and after a site has implemented a patch, users should change their passwords, and create a different password to log in to each site that they use.
As Errata points out, some sites may never fix their vulnerability. Errata plans to complete additional scans periodically to track the progress of sites’ defense against the bug. It’s also a good idea for users to be aware of which sites have patched their vulnerability and which ones haven’t.
Several sites offer tests and browser extensions to enable users to check whether a site is vulnerable, such as the Heartbleed test by Italian programmer Filippo Valsorda or a Chrome extension called Chromebleed. Tools by Last Pass and Qualys are also options. Once users run those tests to check vulnerability, or are alerted to a vulnerability by a browser plugin or extension they’ve installed, users should think twice about sharing more information than they have already with a site that is still vulnerable to Heartbleed.
While it’s been universally recommended that users change their passwords, it does no good to change a password to a vulnerable site until the site has been patched. Just as users waited to receive the green light from sites that implemented a patch immediately following the discovery of Heartbleed, they should wait until sites have been patched before sharing more information or changing login details. However, as patch rates decline, it becomes less and less likely that the remaining sites will fix their vulnerabilities.
Mashable points out that users should only worry about Heartbleed to a point. While Heartbleed is a huge vulnerability, there are many other security issues to be aware of. “Heartbleed is just one of many vulnerabilities that often exist unpatched in the wild. If you want to make yourself paranoid, consider the number of computer systems, ATMs, and payment terminals that are still running some variation of Windows XP. Even on the ecommerce side of things, being patched for Heartbleed doesn’t guarantee that a site has its other security software up-to-date.”
The upshot is that users should be aware that many sites are still vulnerable, and they should take some time to find out if the sites that they use are secured against Heartbleed. They should stop sharing information with any that haven’t been patched. Now that major sites have been been protected, users should switch to different, secure passwords for each site, and set up any other authentication and security measures that sites offer to keep their information as safe as they can.