Heartbleed was one of the most devastating security flaws ever exposed.
Earlier this month, a Google security researcher named Neel Mehta and a small team from Codenomicon discovered a loophole in OpenSSL which allowed third parties to spy on ‘encrypted’ and ‘protected’ transmissions.
The flaw had existed since 2011. Normally, exploits like this are big news but not big enough for most to care. Heartbleed was different: the vast majority of websites on the internet – including government agencies, Twitter, Facebook, and virtually every other big website you like – use OpenSSL to protect their customers.
The craziest thing about OpenSSL is that we don’t even know if anyone was affected by it: Bloomberg reported that “NSA Said to Exploit Heartbleed Bug for Intelligence for Years”. However, we don’t know if hackers or malicious terrorist groups knew about – or exploited – the serious flaw to gain access to sensitive government documents.
Here’s the good news: OpenSSL released a patch on April 7. Over the last two weeks, the vast majority of websites on the internet today have applied that patch.
Depending on which security research you use, only about 98.5% to 99.5% of all websites are currently still vulnerable to the attack. The most trustworthy figures I found looked like this:
-100% of the top 1,000 Alexa ranked sites are now immune to Heartbleed
-99.47% of the top 10,000 Alexa ranked sites are immune
-98.5% of the top 100,000 Alexa ranked sites are immune
-98% of the top 1 million Alexa ranked sites are immune
Thanks to our friends at the Sucuri Blog for that info and research.
Alexa ranks websites according to daily unique visitor totals. It’s the world-standard way to rank websites according to popularity.
You can read through the bug report that changed the tech world here: https://www.openssl.org/news/secadv_20140407.txt
Ultimately, all of the websites you frequent on a daily basis should be protected. That doesn’t mean that you’re immune from the effects of Heartbleed, however. If you haven’t changed your passwords over the past few weeks, then it’s time to do that now. If you’ve done that for all your accounts, then you should no longer have any problems with Heartbleed.