Skip to main content
banner image
venafi logo

Still Bleeding One Year Later—Heartbleed 2015 Research

Still Bleeding One Year Later—Heartbleed 2015 Research

April 7, 2015 | Gavin Hill

Early last year the BBC dubbed 2014 to be the year of encryption. How right they were—not only for the increased use of encryption, but also for the 2014 threats that leveraged cryptographic keys and digital certificates in their attacks. Encryption and keys and certificates were hurdled to the forefront of the media on multiple occasions. To name a few, Heartbleed, Cupid, Open SSL CSS, Shellshock, and POODLE, impacted the entire world. Very quickly cybercriminals mobilized themselves to take advantage of these exploits based on vulnerabilities that many were not remediating.

At Venafi, we reviewed how well organizations have remediated Heartbleed since it was first discovered. The research focused on the largest global organizations in the world (Global 2000), and the results are not very comforting. In last year’s Venafi Labs report, a staggering 76% of Global 2000 organizations with public-facing, Heartbleed-vulnerable systems were still vulnerable. We would have expected to see a significant improvement this year. Unfortunately that’s not the case. There is only a 2% improvement in the number of Global 2000 organizations that have remediated Heartbleed.





Vulnerable Incomplete Remediation



Remediation Complete




In last year’s Venafi Q3 Heartbleed Threat Research Analysis we found that 97% of Global 2000 public-facing servers previously susceptible to Heartbleed had still not been fully remediated. The University of Maryland performed similar analysis in November 2014 and found that 87% of the susceptible servers had still not been fully remediated. Now a year after Heartbleed’s public disclosure, 85% of Global 2000 public-facing servers still remain vulnerable. Even though that’s a 16% improvement over 2014, it is still very poor performance, leaving the door open to cybercriminals.

The surprising part from the research findings this year is that the Heartbleed remediation steps that were taken weren’t actually driven by Heartbleed remediation efforts—this was just a secondary benefit. Instead, they were the result of impending certificate expirations. An astounding 65,000 certificates were re-issued with new private keys simply because of impending expirations. Although it is a good practice to keep short key and certificate rotation cycles, organizations should be replacing all keys and certificates to remediate Heartbleed. Industry experts from Bruce Schneier to Gartner’s Erik Heidt made it clear that to fully contain and remediate Heartbleed, SSL keys and certificates needed to be replaced.

Why so many are still susceptible to Heartbleed

It would seem based on the trend of replacing keys only for impending certificate expirations that organizations have either given up on trying to fully remediate this massive vulnerability or simply don’t grasp the gravity of the situation. I believe that there are two additional reasons for such poor Heartbleed remediation. As described by Gartner, “lazy” remediation—when organizations fail to replace the private key or fail to revoke the old certificate—shows that organizations do not understand that once the private key is exposed, everything is exposed. Another probable reason for the lack of Heartbleed remediation is that organizations simply don’t see the impact yet. According to Ponemon Institute, 100% of organizations have responded to an attack that misuses keys and certificates in the last 2 years. And an alarming 54% of them are unaware of where all of their keys and certificates are located. Not only are attacks which leverage keys and certificates increasing, their impact is as well. The organizations surveyed by Ponemon Institute estimated the risk of an attack using keys and certificates at $53 million over the next two years—this considerable risk should be a wakeup call for all organizations.

Remediating Heartbleed

Remediating Heartbleed goes beyond simply patching the OpenSSL vulnerability. Just like user IDs and passwords are assumed compromised after a breach, so too should keys and certificates.    

To remediate Heartbleed 4 steps are required:

  1. Patch the OpenSSL vulnerability
  2. Generate new keys
  3. Issue and install new certificates
  4. Revoke old certificates
It’s only the beginning

Using kill chain analysis we see exactly how keys and certificates are used throughout an attack. Since last year, there has been a significant increase in hijacked VPNs used to maintain access to victim’s environments. Intel Security noted a 12% increase in SSL-based network attacks—up from 0% in 2013. And Gartner estimates, by 2017 that 50% of network-based attacks will use SSL/TLS.

If organizations do not secure their keys and certificates and enable fast rotation when breached, we could be heading towards a cryptoapocalypse. This phrase was coined by researchers in their Black Hat 2013 presentation and is a scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited, allowing bad guys to spoof or surveil all Internet communications. 

What is your organization’s response plan to handle potentially compromised keys and certificates when breached? Does your organization treat keys and certificates like user ID passwords and replace them when a breach is suspected? I would love to hear from you.

The full analysis on our 2015 Heartbleed research can be found here.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more