News of the Heartbleed security vulnerability have spread like wildfire. According to Netcraft, an internet service company, 66% of the web is vulnerable because of Heartbleed. But are these figures overblown?
Today, content delivery network CloudFlare released a report that shows the difficulty of exploiting web servers using Heartbleed. The company found that there have been no verified reports of the theft of private keys.
CloudFlare received early notice of the Heartbleed vulnerability and patched its own servers twelve days ago. It then began testing to see if it was possible to use Heartbleed to exploit its own services. “After extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data,” wrote CloudFlare software engineer Nicholas Sullivan.
While the company says it could not exploit a vulnerable server, it does not rule out the possibility of an attack. CloudFlare does not “feel comfortable” saying the exploit won’t work but instead says it would be “very hard” to achieve. The company has set up a challenge for security researchers and hackers to exploit a vulnerable page using the Heartbleed bug.
Netcraft also followed up its initial report about 66% of the web being vulnerable. Of the 66% of the web using OpenSSL, only 17.5% of those sites actually use the Heartbleed extension. “Not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled,” writes web security tester Paul Mutton.
Web administrators are not taking any chances and are reissuing security certificates and updating to patched versions of OpenSSL. Companies like Soundcloud are signing users out to make sure the fixes get implemented. If you find yourself logged out of some sites and services, it’s probably because of these updates.
It’s too soon to say whether Heartbleed is as big of an issue as the media is portraying it to be. If anything, it serves as a wake-up call for companies and consumers to stay on top of security. Companies need to invest in better security and consumers need to start educating themselves.
Always use unique passwords for every website and service you sign up for. If your user name and password are exposed on one site, unique passwords prevent hackers from gaining access to your other accounts. Password lockers like LastPass, 1Password, and KeePass are great ways to store your passwords securely.
Enable two-factor authentication on every site and service that offers it. Google, Facebook, and Twitter all support two-factor authentication. If a site or service doesn’t support it, write to the company to request the feature.
For more about the Heartbleed bug, check out our coverage below.
Via: The Verge