Many sites reusing Heartbleed-compromised private keys

Summary:Heartbleed has forced many to revoke and reissue TLS/SSL certificates, but more than seven percent have been reissued with the same keys.

Since the Heartbleed vulnerability in OpenSSL was announced on April 7, more than 30,000 TLS/SSL certificates have been revoked and reissued with the same keys, missing the whole point of the exercise.

That number comes from Netcraft's SSL survey, an ongoing research project studying TLS/SSL sites across the Internet.

Heartbleed allowed an attacker to determine an OpenSSL-based server's private keys, thus removing any data protection and allowing an attacker to masquerade as the server. This meant that, aside from updating their OpenSSL installation, sites had to revoke their old certificates and reissue new ones.

According to Netcraft's survey (see Netcraft's Euler diagram below), 43 percent of sites have reissued their certificates since the appearance of Heartbleed. Seven percent of those have reissued them with the same private key. Only 14 percent have revoked and reissued with new keys, which is the full set of tasks necessary to prevent attack.

Overall, 20 percent have revoked their old certificate, a few without reissuing. Finally, five percent have revoked and reissued, but used the same keys as the earlier certificate.

hertbleed-euler-diagram6

Most certificate authorities are not automatically checking for key reuse. Tools, such as Netcraft's, can be used to determine if the problem exists on a particular site.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.