Heartbleed, Two Weeks Later, 4.4% Of SSL Enabled Websites Still Vulnerable
4.4% of Websites With SSL and 8.7% of Android Devices With SSL Libraries Are Still Vulnerable
SAN JOSE, CA--(Marketwired) - Trustlook, a mobile security start-up in San Jose, has published a new report regarding Heartbleed vulnerability. It shows that 4.4% of SSL enabled websites and 8.7% of Android apps with build-in SSL library are still vulnerable, even after 16 days of the initial disclosure.
Heartbleed is a major vulnerability on OpenSSL, one of the network infrastructure libraries. By exploiting this vulnerability, an attacker could steal users' login credential, private information, and even the website certificate keys.
Why it is critical?
- Widely affecting web infrastructure, Heartbleed impacts services include web, file transfer, and email services. Take web services as an example, both Apache and Nginx use OpenSSL for secure connections, and they occupy 66% of the web server market.
- Easy to exploit, harvest of sensitive data is the major purpose of attack. It's the first and only step. With an exploit code (which can be googled easily), anyone can perform the attack with publicly released tools and without professional knowledge.
- Hard to detect, the attack is triggered on "heartbeat packets", which is usually not included in the server log.
This report is written 16 days after the vulnerability's initial disclosure. The Trustlook team has analyzed Alexa's top 1 million websites and over 120,000 apps from Google Play. To show you Heartbleed's aftermath after 2 weeks and onward.
After large websites (Yahoo, Github and GoDaddy, etc) patched themselves, the attackers' focus is shifting to smaller sites and mobile platform. According to the scan results of the Alexa top 1 million websites, 451,470 websites have enabled SSL connections, and of them, 19,566 or 4.4% of websites are still vulnerable.
For mobile platforms, Android 4.1.1, which occupies 7% of Android market share, is vulnerable due to the OpenSSL version it used. What makes things worse is that Android is a highly fragmented OS, some 3rd party ROMs react slowly on patches and updates. After scanning 120,000 apps from Google Play, 8.7% of them have been found vulnerable, which affects more than 150 million users.
One week ago Trustlook provided an emergency protection app, Heartbleed Detector (http://play.google.com/store/apps/details?id=com.trustlook.heartpulse), which helps mobile users to mitigate the risk. Their other app, Trustlook Antivirus, has also integrated the Heartbleed detections.
About Trustlook Inc.
Founded in 2013 and headquartered in Silicon Valley, Trustlook is a global leader in next-generation mobile security solutions. Trustlook pioneers and provides the first APT (advanced persistent threat) mobile security solutions to detect and address zero-day and advanced malware. For more information, please visit blog.trustlook.com.
Image Available: http://www.marketwire.com/library/MwGo/2014/4/24/11G014925/Images/Screen_Shot_2014-04-23_at_9.27.21_PM_copy-aa935cf5-b530-4fee-9689-7dcf28c85b1d.jpg
Image Available: http://www.marketwire.com/library/MwGo/2014/4/24/11G014925/Images/Screen_Shot_2014-04-24_at_11.50.37_AM_copy-7a008ae6-156c-41fe-afbb-c8e212735b67.jpg
Go Daddy is a leading provider of services that enable individuals and businesses to establish, maintain and evolve an online presence. Go Daddy provides a variety of domain name registration plans and Web site design and hosting packages, as well as a broad array of on-demand services. These include products such as SSL Certificates, Domains by Proxy private registration, ecommerce Web site hosting, blog templates and blog software, podcast packages and online photo hosting.The Go Daddy Group, Inc. has more than 36 million domain names unde... read more