This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I'll scan again next month, then at the 6 month mark, and then yearly after that to track the progress.
Are you trying to reach out to the owners of these websites using their domain contacts?
ReplyDeleteOf course I'm not reaching out to them. It would cause more problems than it would solve.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteOh Man! Thanks Robert for this warning and Stats.
ReplyDeleteThis is actually because of the Reader's behaviour we call "Nothing New". Majority of the Readers ignore the threats and updates because they think that 'It's nothing new', they already know about it and they even don't need patch for it,'bcoz its nothing new' :P
I realize that you don't want to create a hit list of vulnerable sites, but from a user's perspective I'd like to know at this point which site operators are not just negligent (ie taking up to a month to patch), but dangerously so (as you wrote, sites whose administrators "... have stopped even trying to patch").
ReplyDeleteAt what point (if ever) would you consider it fair to post a current version of this list?
What would be more interesting than just a blanket 300k number would be how this breaks down across segments that most users would care about: financial services, internet retail 500, etc. I would venture an (unsubstantiated) guess that most of the internet that a majority of people actually care about has been patched. If not, those sites should be called out immediately for being a danger to end users.
ReplyDeleteRobert, how many SSL-supporting servers did you catalog? Was it still around 22 million?
ReplyDeleteWho do I contact to have my IP's removed from your scans?
ReplyDeleteplease keep sharing of knowledges with us.Thanks a lot for your great posting.
ReplyDeleteInstant Annuity Rates
Iteresting - a 60-day half-life for patching, even with all the (often overwrought) publicity.
ReplyDelete