Many sites reusing Heartbleed-compromised private keys

Heartbleed has forced many to revoke and reissue TLS/SSL certificates, but more than seven percent have been reissued with the same keys.
Written by Larry Seltzer, Contributor

Since the Heartbleed vulnerability in OpenSSL was announced on April 7, more than 30,000 TLS/SSL certificates have been revoked and reissued with the same keys, missing the whole point of the exercise.

That number comes from Netcraft's SSL survey, an ongoing research project studying TLS/SSL sites across the Internet.

Heartbleed allowed an attacker to determine an OpenSSL-based server's private keys, thus removing any data protection and allowing an attacker to masquerade as the server. This meant that, aside from updating their OpenSSL installation, sites had to revoke their old certificates and reissue new ones.

According to Netcraft's survey (see Netcraft's Euler diagram below), 43 percent of sites have reissued their certificates since the appearance of Heartbleed. Seven percent of those have reissued them with the same private key. Only 14 percent have revoked and reissued with new keys, which is the full set of tasks necessary to prevent attack.

Overall, 20 percent have revoked their old certificate, a few without reissuing. Finally, five percent have revoked and reissued, but used the same keys as the earlier certificate.


Most certificate authorities are not automatically checking for key reuse. Tools, such as Netcraft's, can be used to determine if the problem exists on a particular site.

Editorial standards