A group of researchers from the University of Maryland have discovered that many sysadmins who were responsible for patching holes exposed by the Heartbleed bug failed to do enough.
Assistant Research Scientist Dave Levin and Assistant Professor of Electrical and Computer Engineering Tudor Dumitras disclosed their findings in a paper last week at the 2014 Internet Measurement conference held in Vancouver, B.C.
Levin and Dumitras had been part of a research team whose task was to understand sysadmins’ response to the Heartbleed bug.
After examining one million websites following the first disclosure of Heartbleed back in April, Levin, Dumitras, and their colleagues found that while more than 90 percent of sysadmins had patched their software, only 13 percent had followed up with additional security protocols.
In their paper “Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed,” the researchers comment:
“All vulnerable servers should have taken three critical steps to ensure the security of their service and their users: they should have patched their code, revoked their old certificate, and reissued a new one.”
The fact that 87 percent of sysadmins failed to implement those steps raises the concern that all vulnerable certificates, if not revoked and reissued soon, will remain valid for at least another two years.
If this happens, for each vulnerable certificate, browsers and operating systems will not be able to authenticate whether they are communicating with a legitimate website or an attacker masquerading as one whose purpose is to steal personal information.
In addition to this particular finding, the researchers also gained insight into the initial response following Heartbleed’s disclosure.
Using a graph that tracked the rate of certificate revocation over the first three weeks following disclosure, they observed that the revocation rate consistently dropped over the weekends. This is likely due to most sysadmins having had weekends off, which in turn slowed the industry’s overall response to Heartbleed.
Levin and Dumitras’ work provides useful information about how humans factor into remediation.
It is the researchers’ hope that their findings will be the subject of many productive conversations which will, in turn, inform sysadmins’ response following the disclosure of the next Internet bug.