Tuesday, April 07, 2015

No, 75% are not vulnerable to Heartbleed

A little-known company "Venafi" is suddenly in the news implying 75% of major systems are still vulnerable to Heartbleed. This deserves a rating of "liar liar pants on fire".

The issue isn't patches but certificates. Systems are patched, but while they were still vulnerable to Heartbleed, hackers may have stolen the certificates. Therefore, the certificates need to be replaced. Not everyone has replaced their certificates, and those that have may have done so incorrectly (using the same keys, not revoking previous).

Thus, what the report is saying is that 75% haven't properly updated their certificates correctly. Naturally, they sell a solution for that problem.

However, even this claim isn't accurate. Only a small percentage of systems were vulnerable to Heartbleed in the first place, and it's hard to say which certificates actually needed to be replaced.

That's why you have the weasely marketing language above. It's not saying 3 out of 4 of all systems, but only those that were vulnerable to begin with (a minority). They aren't saying they are still vulnerable to Heartbleed itself, but only that they are vulnerable to breach -- due to the certificates having been stolen.

The entire report is so full of this same language that I cannot figure out what they are claiming to any technical detail.

The fact is this: most companies patched their systems before their certificates were stolen. For those who did get certificates stolen, it's unlikely that their servers can be breached with that information. Sure, some user accounts may get compromised by hackers doing man-in-the-middle at Starbucks, but the servers themselves are safe. Even if you did everything wrong updating your certificates, you probably aren't in danger. Sure, some of you are, but most of you aren't.

All such glossy marketing PDFs are full of FUD, this one worse than most. I give it a "liar liar pants on fire" rating.

1 comment:

paulfroberts said...

Hey Rob - good article. I covered this with the headline "Certificates Interruptus" ;-) The issue Venafi is raising is that most firms patched, but few fully remediated, which would entail replacing private keys and revoking/reissuing certs. Their argument - not unreasonable - is that companies have no way of knowing whether a vulnerable OpenSSL installation may have been compromised prior to public disclosure of Heartbleed. It seems likely that some groups were actively exploiting the vuln as early as 2013 (EFF report). So, while its likely for any organization that patching is OK, there's really no way to know for sure that you weren't hacked. But -agree- take the vendor sponsored research with a grain of salt and actually read the report (as opposed to the press release about the report).