Heartbleed – Reports from the Field

It has been now five days since details emerged regarding the “Heartbleed” vulnerability in OpenSSL. During this time we have been researching the impact of the vulnerability, tracking the patch states of popular websites, and monitoring attacks. So what have we learned?

Most popular sites are no longer vulnerable

We have been tracking the most popular websites to see which of them are currently vulnerable to Heartbleed. No website included in Alexa’s top 1000 websites is currently vulnerable. Within the Alexa top 5000 websites, only 24 websites are vulnerable. Overall, within the Alexa top 50,000 websites only 1.8 percent is vulnerable to Heartbleed. Based on this data, chances are that the websites most frequently visited by the average user are not affected by Heartbleed.

It is possible that your data may have been stolen prior to a website being updated. To mitigate against this ensure that you do not reuse passwords across multiple sites.

Yes, you should change your passwords

There has been some contradictory information regarding whether users should change their passwords. Based on our examination of the most popular websites above, it should now be safe to change the passwords for most of your online accounts.

If you have any doubt, Symantec offers the following tool to check whether a website is vulnerable to Heartbleed:

If a website is still vulnerable, do not change your password for that site just yet.

The problem is serious, but a doomsday scenario is unlikely

Heartbleed could be used by attackers to steal personal data such as usernames and passwords—and doing so is relatively easy. However one of the biggest concerns is that the vulnerability could be used to steal the private keys which are used to encrypt communications with websites. By stealing these keys, attackers could eavesdrop on communications or set up fake websites which impersonate legitimate websites allowing them access to even more data. As stated in our previous blog, stealing these keys is very difficult. Some researchers have been successful in stealing keys using Heartbleed, but each case required specific circumstances to be met; in particular, keys are more likely to be exposed only at the moment after the web server is started.

Heartbleed is not being widely used by attackers

Our monitoring has shown that while there is widespread scanning for vulnerable websites, most of this scanning seems to be originating from researchers. We have witnessed relatively few mass scans for the Heartbleed vulnerability originating from attackers. Attackers could be targeting specific sites but, fortunately, the most popular sites are no longer affected.

IPS will help block attacks

Symantec IPS signature 27517, Attack: OpenSSL Heartbleed CVE-2014-0160 3, has been released and will detect and block attempts to exploit Heartbleed on vulnerable servers.

Advice remains the same

For businesses:

  • Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension. 
  • Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in compromised server memory.

For consumers:

  • Be aware that your data could have been seen by a third party if you used a vulnerable service provider.
  • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.
  • Avoid potential phishing emails from attackers asking you to update your password. To avoid being tricked into going to an impersonated website, stick with the official site domain.

For further information

For the latest information on Heartbleed, including how to minimize your risk, please visit the Symantec Heartbleed outbreak page: