14 DAY TRIAL // A lot of sites are missing the whole point made by Heartbleed and have revoked and reissued security certificates with the same keys.
According to a survey from Netcraft, more than 30,000 TLS/SSL certificates have been revoked for no purpose at all since they were reissued in the same shape, ZDNet reports.
Heartbleed, the OpenSSL bug that affected a good part of the world’s websites was unveiled about a month ago. The vulnerability practically exposed what was supposed to be encrypted data of any user that was pushing data through a server at the time of the attack.
The worst part is that the bug had been affecting OpenSSL for two years before it was discovered and a patch was issued. Attacks exploiting the vulnerability leave absolutely no traces behind, which means that it’s impossible to tell whether any actually took place in this time.
After servers were patched up with the new OpenSSL version, shutting out the vulnerability, sites that had become safe again, including Google, Facebook and Yahoo, had to issue new security certificates to confirm the fact. These certificates are read by web browsers and so users can be warned in case of danger.
It is extremely important that sites change the keys, which it seems that some haven’t actually done.
According to Netcraft’s survey, 43 percent of sites have reissued their certificates since the appearance of Heartbleed. Seven percent of these have reissued them with the same private key, effectively missing the entire point of the process.
Only 14 percent of sites have revoked and reissued new keys, which is necessary to prevent attacks. Overall, about 20 percent have revoked their old certificates, although a few didn’t reissue them.
Heartbleed has had a huge impact on Internet companies. Not only did they realize that they had to start supporting the OpenSSL project with more than good thoughts, namely with money, but they also started to pay more attention to the safety of their users.
At the same time, Internet users have taken it upon themselves to start changing their passwords in case theirs were collected by hackers or government agencies.
Since we’re on the topic, the NSA has been suspected of actually knowing about the bug and keeping it secret in order to continue to exploit it. The agency has denied this, but the NSA’s credibility is so weak nowadays that no one actually trusts it.