Heartbleed Bug: Dead or Still a Threat?

Source: Thinkstock

Source: Thinkstock

The stir caused by the Heartbleed Bug may finally be settling, as many websites work to patch the vulnerabilities in their encryption. According to Computerworld, most websites have patched the problem already, and considering the scale of the bug, it makes sense that so many sites would act so quickly. However, it doesn’t all end there.

Computerworld noted that Sucuri Security, a California security firm, analyzed top websites and found that all of the top 1,000 websites as ranked by Alexa Internet have been patched as of April 17. Of the top 10,000, just 0.53 percent remain vulnerable, 1.5 percent of the top 100,000 are still vulnerable, and around 20,000 of the top 1 million sites are still at risk. Even if that seems like most websites are safe now, the Heartbleed Bug isn’t so simple that a patch can solve the entire issue, and neither can the websites themselves.

The Heartbleed Bug made it possible for attackers to breach a website’s security to snatch up information on encryption keys, usernames, and passwords, a simple patch won’t take that information away from hackers that already gathered it. The patch will ensure that sites aren’t vulnerable to future exploits of the bug, but a great wall clearly won’t solve a kingdom’s problems if it’s already been raided.

Although most of the biggest websites have patched the problem, there is still more to do, and users of those websites also have to take action to ensure their data is safe. Once the websites have completed protecting themselves, it’s time for web users to fix their own vulnerabilities.

The first thing that needs to happen to fix remaining vulnerabilities within websites is for the sites to get new SSL certificates and encryption keys. Hackers may have been able to steal this data before websites were patched, continuing to use old certificates and keys that left users vulnerable, while any new passwords they create could be potentially discovered.

Though a high percentage of sites have patched the problem, Sucuri Security’s analysis did not check to see how many of the websites had also updated their certificates and encryption keys. Sucuri Chief Technology Officer Daniel Cid said, in regards to scanning for certificates and keys, “I bet the results will be much much worse on that one.”

Once websites have secured themselves, users have to make sure they change their passwords. Since Heartbleed leaves no tracks, no one can assume a vulnerable website wasn’t affected. Even if the website is patched, hackers could still have passwords, which would grant them access to user accounts if the passwords are left unchanged.

If you’re unsure what passwords you should change and what else you should do to protect yourself, here are some additional steps you can take to protect your online accounts and data. To discover which websites are still vulnerable, you can use Qualys SSL Labs to test websites.

More From Wall St. Cheat Sheet:

Follow Mark on Twitter @WallStMarkSheet