Have we done enough to battle Heartbleed flaw?

Have companies done enough to fight the Heartbleed flaw? A year on, one report is saying 75 per cent of potential victims are still at risk - but others are casting doubt on that claim.

Last year, a critical bug dubbed Heartbleed was found in OpenSSL, letting attackers snoop on data sent online - including everything from passwords to security certificates. The flaw was in the code, left unfixed for two years.

A year on, certificate service Venafi TrustNet has claimed that three quarters of the top 2,000 companies in the world remain vulnerable to the flaw.

"Why have organisations still not completed full remediation?" its report asked. "Organisations have either given up on properly replacing keys and certificates, most likely not grasping the full risk exposure this creates, or do not have the knowledge to understand how to complete remediation."

Venafi said that many users are requesting new certificates, but using existing keys, when they should be demanding entirely new private keys.

"Enterprises must assume, just as they do with user IDs and passwords following an incident, that all keys and certificates are compromised, not just those that secured vulnerable Heartbleed systems," the report added.

However, another security expert, Robert Graham of Errata Security, claimed the risk isn't as serious as Venafi suggests - and pointed out that the company stands to benefit from any panic around certificates, as it "sells a solution for that problem".

"Only a small percentage of systems were vulnerable to Heartbleed in the first place, and it's hard to say which certificates actually needed to be replaced," explained Graham in a blog post.

"The fact is this: most companies patched their systems before their certificates were stolen," he added. "For those who did get certificates stolen, it's unlikely that their servers can be breached with that information.

"Sure, some user accounts may get compromised by hackers doing man-in-the-middle at Starbucks, but the servers themselves are safe. Even if you did everything wrong updating your certificates, you probably aren't in danger. Sure, some of you are, but most of you aren't."

Open-source support

There's more to Heartbleed than simply updating certificates, noted AVG's CTO Yuval Ben-Itzhak.

In a blog post, he said that it doesn't appear as though the web is a more secure place a year on from the discovery of the bug, or that we've learned many lessons from the massive web flaw.

In particular, he called for more support for open-source projects, noting that many of us make use of OpenSSL, but few donate time or money to support it.

"The OpenSSL Project does a great job finding and fixing vulnerabilities when they appear but in order to truly move the dial for Internet security, we need more investment," he said. "Right now, the hands of the world's online safety is in the hands of only a few coders working in small teams. That simply won't do."