4 Comments

Summary:

Thousands of websites may have inadvertently introduced the Heartbleed bug to their servers in an effort to secure themselves from the vulnerability. In today’s era of web security, it’s probably not a good idea to fix something in your system just because you think it may be broken.

One in five companies currently affected by the Heartbleed bug may have inadvertently introduced the vulnerability to their servers, according to software developer Yngve N.Pettersen. Pettersen’s note comes in response to a May 8 security report on Heartbleed by Netcraft, an internet services and security company.

The report described how while many websites may have patched OpenSSL — the cryptographic software library vulnerable to Heartbleed — and replaced and revoked their old SSL certificates, which are used to securely transmit information on the internet, 30,000 websites are presently using replacements that contain the original compromised private key in their new certificates. In short, this means that website owners who think they have solved the problem have actually not done so.

According to the Netcraft report, if a website were to reuse the same compromised private key, the act of replacing its SSL certificates becomes meaningless. That’s because hackers can use the hijacked private key to mimic a seemingly secure SSL certificate, thus giving website owners a false sense of security.

Unfortunately, as Pettersen noted, the websites that took the preemptive measure of installing the new SSL certificates unwittingly put themselves at risk. This just goes to show that in today’s era of web security, it’s probably not a good idea to fix something in your system just because you think it may be broken.

Essentially, as Pettersen wrote, “This means that thousands of sites have gone from not having a Heartbleed problem, to having a Heartbleed problem!”

  1. “Thousands of websites may have inadvertently introduced the Heartbleed bug to their servers in an effort to secure themselves from the vulnerability.” How would that work? The sites would have had their private key compromised already (i.e. be vulnerable to heartbleed) for reusing it to be an issue.

    Reply Share
  2. This thing just continues to spread and spread and yet not one productive solution has surfaced yet

    Reply Share
  3. “This means that thousands of sites have gone from not having a Heartbleed problem, to having a Heartbleed problem!”

    Except that is not what you describe in the article at all…

    Reply Share