Only 30k of 500k SSL Certs Updated Since News of Heartbleed Broke

According to a report released today by the Internet watchdog association Netcraft, a total of only 30,000 websites and network hubs have updated and reissued their OpenSSL certificates since news of the Heartbleed bug first broke earlier this week.

It’s understandable that less than half of all servers affected would be patched only a few short days after the news first hit, but a fraction of a fifth? Many in the security community argue it simply isn’t enough to start claiming victory over the SSL vulnerability just yet.

reissues1

Netwave was enthusiastic about the number of sites they saw joining the revocation fray, although they were also quick to note that the rate of reissues would need to jump significantly in the next few waves if we expect to put Heartbleed down for the count anytime soon.

“Despite the importance of revoking certificates which could have been stolen using the Heartbleed bug, many website administrators and certificate authorities have yet to do this. Activity on certificate revocation lists peaked at a rate of 2,600 revocations per hour on the day the Heartbleed bug was announced (Monday April 7, 2014). On a typical Monday, we would expect to see a total of around 10,000-14,000 SSL certificates being revoked over the course of the day.”

Many of the big boys you’d naturally expect to be at the forefront of the update army are fully represented in that group of 30,000, including Yahoo, Adobe, CloudFlare, Reddit, PayPal, Netflix and Amazon’s CloudFront content delivery network.

However, even if these sites make up the majority of your visits on any given day, all it takes is one obscure login on a lesser-known portal for the one password you have to compromise all the related accounts, and the rest is pretty much downhill from that point on.

As a precaution, (if you haven’t already), it’s highly recommended to go through all your current passwords and change them to something more complex, and be sure none of them relate to anything you might have used before patches started flying out in the wake of one of the largest online security bungles in recent history.