Half a million widely trusted websites vulnerable to Heartbleed bug

A serious overrun vulnerability in the OpenSSL cryptographic library affects around 17% of SSL web servers which use certificates issued by trusted certificate authorities. Already commonly known as the Heartbleed bug, a missing bounds check in the handling of the TLS heartbeat extension can allow remote attackers to view up to 64 kilobytes of memory on an affected server. This could allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server.

The Heartbleed bug write-up mentions Apache and nginx as being the most notable software using OpenSSL, and also points out that these have a combined active site market share of over 66% according to our April 2014 Web Server Survey. However, not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled.

Our most recent SSL Survey found that the heartbeat extension was enabled on 17.5% of SSL sites, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.

Most vulnerable servers are using Apache.

Note that a small percentage of Microsoft web servers also appear to support the TLS heartbeat extension; these are actually likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.

Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL's git repository just before midnight on new year's eve 2011.

OpenSSL's security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

Popular sites which exhibit support for the TLS heartbeat extension include Twitter, GitHub, Yahoo, Tumblr, Steam, DropBox, HypoVereinsbank, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the anonymous search engine DuckDuckGo.

Certificates and keys at risk of compromise should be revoked and replaced, particularly if they are used to protect sensitive data. Certificate Authorities, hosting companies and other interested parties can contact us for assistance in identifying affected certificates.

You can check whether your own HTTPS website might be vulnerable using the form below, and looking for the RFC6520 heartbeat TLS extension.

Netcraft site report

Thousands of websites still hosted on Windows XP

Thousands of websites are still hosted on Windows XP computers, despite the operating system reaching the end of its extended support period today. After today, Microsoft will stop providing automatic security updates for Windows XP, and Microsoft Security Essentials will also no longer be available for Windows XP.

Originally released in 2001, Windows XP is currently used by more than 6,000 websites in Netcraft's April 2014 Web Server Survey. Although China is often regarded as one of the most prolific users of Windows XP, only 3% of these sites are hosted there, suggesting that Windows XP has a predominantly desktop role in China. The largest share (nearly a third) of all Windows XP-powered websites are actually hosted in the United States.

Distribution of Windows XP-powered websites (logarithmic scale)

Notably, there are 14 US government websites still running on Windows XP, including a webmail system used by the State of Utah. Unsupported web-facing Windows XP servers are likely to become prime targets for hackers, particularly if any new Windows XP vulnerabilities are discovered, as no security updates will be available to fix them.  To afford some breathing space, the UK Government recently struck a £5.5m deal for Microsoft to provide it with an extra year of support for Windows XP, although there are currently no Windows XP-powered websites under the gov.uk top-level domain.

One of the busiest sites still using Windows XP is TransFerry.com. This site was previously using Windows 2000, and perhaps more worrying is the significantly larger number of websites which still use Windows 2000. This version of Windows reached its extended support end date in July 2010, yet nearly half a million of today's websites are hosted on Windows 2000 servers, most of which are using the Microsoft IIS 5.0 web server software they were shipped with. This version of IIS is practically identical to that used by Windows XP (IIS 5.1).

Netcraft's April 2014 survey also found 50,000 websites which are hosted on even older Windows NT4 servers running Microsoft IIS 4.0, although three quarters of these sites are served from the same computer in Norway. One of the busiest sites still running on Windows NT4 is the Australian Postal Corporation's post.com.au, which has been using the same operating system for at least 13 years. Window NT4 and IIS 4.0 are also still used by Australia Post's Postbillpay bill payment service, airindia.co.in and by the French government's Ministère de l'Économie, des Finances et de l'Industrie.