Vjeran Pavic / Re/code
After all the alarmed coverage in the media, after all the advice to change passwords and patch affected websites, how worried did we all get about the Heartbleed vulnerability, really?
Not so much, it seems, according to two bits of research that studied responses from people on different ends of the spectrum — everyday consumers and website operators.
The newest findings out on Friday from the U.K.-based Internet security firm Netcraft, which has been tracking the progress of sites affected by the bug. There are two things those sites have been advised to do: First, update the version of OpenSSL, the open source security software where the vulnerability was found; second, revoke and reissue the certificates used to prove they are who they say they are.
According to Netcraft’s data, 57 percent of sites affected by Heartbleed have taken no action whatsoever. To put that in perspective, that’s likely to be the bottom 57 percent of websites that exist, but which few people bother to use. Remember, last month the Top 1,000 most-popular sites were fixed by April 14, and that of the top 10,000 most popular sites only 53 were found to be still vulnerable by that date.
Here’s where it gets fuzzy: Many sites have taken some action, but have missed a few steps — or worse, are doing it wrong. Netcraft reckons that only 14 percent of all sites affected by Heartbleed have done everything they need to do to fix the vulnerability: Replaced their certificates, revoked the old ones and used a new set of cryptographic keys to generate new ones. Indeed, five percent of sites have issued new certificates generated with their old keys.
Here’s why keys and certificates are important: An attacker can take advantage of Heartbleed to scoop the private keys out of an affected system’s memory, thus allowing them to create a fake certificate, which they can then use to impersonate the site. This was the worst-case scenario envisioned by security researchers: Imagine signing into your bank’s website, only to find out that it’s really not your bank.
Then there’s this: A survey released last week by Software Advice, a company that advises businesses on software purchases, found that 67 percent of people in the survey sample (3,000 people in the U.S.) had done nothing to secure any of their accounts. That’s right, nothing.
Only a little more than half of those in the survey knew what Heartbleed is, and the youngest people surveyed, aged 18-24, tended to be the least informed of all. Finally, 75 percent said they had received no instructions to change passwords at work.
So despite the best-ever branding for a security vulnerability and many people in the media typing scary words about it, either the public doesn’t know about Heartbleed or, having been warned about numerous security problems in the past few years, they don’t care. Apathy: Get used it.