It’s only been one
month since the Heartbleed vulnerability in OpenSSL became public and still
many organizations remain vulnerable.
According to Netcraft, only 43 percent of the company sites were scanned
and reissued their SSL certificates due to this bug and many more sites are
still susceptible. They also noticed
that seven percent of the reissued SSL certificates were reissued using the
same private key while fifty-seven percent of the sites took no action.
The Heartbleed
vulnerability is due to certain versions of OpenSSL not properly handling
Heartbeat extension packets and the ending result of the remote attackers can
steal sensitive information from process memory using specially-crafted packers
that cause a buffer over-read. After the
Heartbleed vulnerability broke, experts made it clear that the SSL keys needed
to be replaced and not reissued.
Exploits have shown
that private keys could be stolen from servers and the stolen keys would allow
websites to be impersonated and traffic to be decrypted. With thousands of applications from companies
such as IBM, Juniper, Cisco, Symantec, McAfee, and many more are vulnerable to
Heartbleed behind their proxies and firewalls.