A team of security researchers at the University of Michigan has used an open source network scanner called ZMap to search the Internet for servers still vulnerable to the "Heartbleed" exploit, which can be used to retrieve user names, passwords, and possibly even private encryption keys from servers that use the popular OpenSSL 1.0.1 cryptographic library. OpenSSL patched the vulnerability earlier this week, but hundreds of thousands of Web servers and other network-connected devices that use the affected libraries are still vulnerable.
ZMap, developed at the University of Michigan by Assistant Professor J. Alex Halderman and computer science graduate students Zakir Durumeric and Eric Wusterow, can perform a complete scan of the Internet's address space in less than 45 minutes if run on a machine with a gigabit network connection. Durumeric, Halderman, undergraduate computer science student David Adrian, and Research Associate Professor Michael Bailey configured a ZMap scan for the Heartbleed vulnerability, seeded with Alexa's list of the 1 million most popular domains on the Internet.
"As of 4:00 PM on April 9, 2014," the researchers reported in their results, "we found that 34 percent of the Alexa Top 1 Million websites support TLS. Of the websites that support HTTPS, 11 percent are vulnerable, 27 percent safely support the heartbeat extension, and 61 percent do not support the heartbeat extension (and are therefore safe). While we are still completing full scans of the Internet, initial results show that approximately 6% of all hosts that support HTTPS remain vulnerable. We will be updating these numbers as more scan results become available. We are not releasing full Internet-wide scans at this time."