heartbleed

Vjeran Pavic / Re/code

Security


After all the alarmed coverage in the media, after all the advice to change passwords and patch affected websites, how worried did we all get about the Heartbleed vulnerability, really?

Not so much, it seems, according to two bits of research that studied responses from people on different ends of the spectrum — everyday consumers and website operators.

The newest findings out on Friday from the U.K.-based Internet security firm Netcraft, which has been tracking the progress of sites affected by the bug. There are two things those sites have been advised to do: First, update the version of OpenSSL, the open source security software where the vulnerability was found; second, revoke and reissue the certificates used to prove they are who they say they are.

According to Netcraft’s data, 57 percent of sites affected by Heartbleed have taken no action whatsoever. To put that in perspective, that’s likely to be the bottom 57 percent of websites that exist, but which few people bother to use. Remember, last month the Top 1,000 most-popular sites were fixed by April 14, and that of the top 10,000 most popular sites only 53 were found to be still vulnerable by that date.

Here’s where it gets fuzzy: Many sites have taken some action, but have missed a few steps — or worse, are doing it wrong. Netcraft reckons that only 14 percent of all sites affected by Heartbleed have done everything they need to do to fix the vulnerability: Replaced their certificates, revoked the old ones and used a new set of cryptographic keys to generate new ones. Indeed, five percent of sites have issued new certificates generated with their old keys.

Here’s why keys and certificates are important: An attacker can take advantage of Heartbleed to scoop the private keys out of an affected system’s memory, thus allowing them to create a fake certificate, which they can then use to impersonate the site. This was the worst-case scenario envisioned by security researchers: Imagine signing into your bank’s website, only to find out that it’s really not your bank.

Then there’s this: A survey released last week by Software Advice, a company that advises businesses on software purchases, found that 67 percent of people in the survey sample (3,000 people in the U.S.) had done nothing to secure any of their accounts. That’s right, nothing.

Only a little more than half of those in the survey knew what Heartbleed is, and the youngest people surveyed, aged 18-24, tended to be the least informed of all. Finally, 75 percent said they had received no instructions to change passwords at work.

So despite the best-ever branding for a security vulnerability and many people in the media typing scary words about it, either the public doesn’t know about Heartbleed or, having been warned about numerous security problems in the past few years, they don’t care. Apathy: Get used it.



2 comments
LukeF
LukeF

 It does not surprise me. People just don't care. It seems that in my neighbour I am the only one taking care of my passwords and taking care about security by protecting myself with antivirus and password management software and proper techniques. For instance regarding Heartbleed I have used my password manager Sticky Password (http://www.stickypassword.com) and changed all the passwords I had in it - 500+ and it was a full day commitment and a hard time for me, but I feel more secure now. I hope that some day everyone will take responsibility for their own security.

Harth
Harth

Apathy?  What bred this apathy?  People are tired of media over-hyping things only to have nothing come of it.  The sky is falling! The sky is falling!  Or not.

Follow

Get every new post delivered to your Inbox.

Join 301,119 other followers