One in five companies currently affected by the Heartbleed bug may have inadvertently introduced the vulnerability to their servers, according to software developer Yngve N.Pettersen. Pettersen’s note comes in response to a May 8 security report on Heartbleed by Netcraft, an internet services and security company.
The report described how while many websites may have patched OpenSSL — the cryptographic software library vulnerable to Heartbleed — and replaced and revoked their old SSL certificates, which are used to securely transmit information on the internet, 30,000 websites are presently using replacements that contain the original compromised private key in their new certificates. In short, this means that website owners who think they have solved the problem have actually not done so.
According to the Netcraft report, if a website were to reuse the same compromised private key, the act of replacing its SSL certificates becomes meaningless. That’s because hackers can use the hijacked private key to mimic a seemingly secure SSL certificate, thus giving website owners a false sense of security.
Unfortunately, as Pettersen noted, the websites that took the preemptive measure of installing the new SSL certificates unwittingly put themselves at risk. This just goes to show that in today’s era of web security, it’s probably not a good idea to fix something in your system just because you think it may be broken.
Essentially, as Pettersen wrote, “This means that thousands of sites have gone from not having a Heartbleed problem, to having a Heartbleed problem!”