Heartbleed Isn’t Dead Yet

bleedThere’s a really good reason why security researchers were so spooked by the Heartbleed bug: there’s just no silver bullet. Even if we somehow banded together to get most of the world’s systems patched, a big chunk of the Internet would likely be left vulnerable.

Sure enough, Heartbleed beats on.

(Not sure what Heartbleed is? Need a refresher course? Check out this video that explains it.)

First, the good news: when word of the Heartbleed vulnerability first hit, a scan by security firm Errata turned up 600,000 vulnerable servers. Within a month, as all of the major sites and web hosts rushed to patch things up, that number had plummeted to 318,239. That’s nearly 50%!

The bad news: another month later, the pin has stopped moving. 75 days after the disclosure of Heartbleed, Errata’s scan still finds 309,197 vulnerable servers. That’s an improvement of less than 3% in month 2.

Progress is progress — but at this point, progress has seemingly plateaued.

What this means, oversimplified: while almost all of the Internet’s most popular sites (the top 1000 or so — the biggest, most obvious targets for attackers) are no longer vulnerable, lots and lots of smaller sites/systems are still at risk. And based on the patch rate just 2 months later, after the appropriately huge hype surrounding the bug has tapered, that… probably won’t ever change.

What can you do, as a user? The best thing is to be particularly strict about your security practices. Avoid logging into older, less-maintained sites that haven’t confirmed that they’re patched against Heartbleed. Most importantly, perhaps, is to use a different password everywhere. That way, if logging into some tiny, long-abandoned forum leads to your password being exposed, you’re not exposing all of your other accounts too.