Looking at the latest data pulled this morning, much progress has been made and there are only 42 cloud security services that are vulnerable to Heartbleed. For these services, user data, passwords, and private keys for these services can be stolen using a simple exploit.
However, more alarming today is the number of cloud services that have not fully addressed their past vulnerability. After patching SSL, the next step cloud providers must take is to reissue their certificates. As reported by CloudFlare, Heartbleed can be used by an attacker to access private keys and impersonate a website. Since Heartbleed exploits dont leave a trace in server logs, cloud providers must assume their private keys have been compromised even if they dont have any evidence of them being stolen.
Certificate updates trail Heartbleed patching
Most websites have patched SSL but they are reissuing and revoking certificates at a much slower pace. Netcraft reported that only 30,000 websites (out of more than 500,000) reissued new certificates by the end of last week, and even fewer have revoked their certificates. While not completely eliminating the risk of a man-in-the-middle attack (MITM) this is a critical step in reducing the risk of these attacks.
Skyhigh is tracking certificate updates across cloud providers and as of this morning only 13.3% of cloud security service providers affected by Heartbleed have updated their certificates. A smaller percentage have both reissued and revoked their certificates, making them vulnerable to impersonation in a phishing scam or man-in-the-middle attack. Most certificate authorities have agreed to replace certificates for free, but there are complaints they arent prepared for the volume of certificates that need to be reissued.
Already were seeing that Heartbleed has exposed not just a vulnerability in SSL but vulnerabilities in the way we approach security.