You’re not out of the woods yet, Web users. It seems like ages ago in Internet time that Heartbleed was first discovered. The massive OpenSSL vulnerability affected about 66% of the entire Internet when it was uncovered by security researchers, and it can allow hackers to intercept sensitive data including usernames and passwords. Big companies moved fast to patch the vulnerability and resolve the problem, but unfortunately not everyone acted so quickly to protect their users.
According to a new report from Robert Graham of Errata Security, there are still at least 318,239 servers on the Internet that are vulnerable to Heartbleed. The actual figure is likely much higher than that due to several factors noted by Graham.
“The numbers are a little strange. Last month, I found 28-million systems supporting SSL, but this month I found only 22-million,” he noted as one reason the actual number of affected servers is likely higher than the figure he reported. “I suspect the reason is that this time, people detected my Heartbleed ‘attacks’ and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers.”
Similar scans performed last month found that more than 600,000 servers were vulnerable, so things are moving in the right direction — but slowly.
If you want to protect yourself from Heartbleed, this is the first step you need to take.