Sysadmins disposed of Heartbleed certs, but forgot to flush

Sysadmins' need for sleep and attempts to stop working at weekends have slowed down the response to Heartbleed, according to University of Maryland researchers – but more seriously, it's possible that a bunch of half-fixed websites retain some vulnerability to the bug.

The problem, the researchers told the 2014 Internet Measurement Conference in Vancouver last week, is that while sysadmins may have run in the necessary patches, they haven't gotten around to revoking the PKI certificates their sites had before the bug was discovered.

As explained by assistant research scientist Dave Levin, sites needed to “patch their OpenSSL software, they needed to revoke their current certificates, and they needed to reissue new ones”.

However, in an analysis of over a million popular websites in the US, Levin and his research partner Tudor Dumitras say too many admins skipped the revocation step.

“Many people seem to think that if they reissue a certificate, it fixes the problem, but actually the attack remains possible,” he says in the university's release.

His paper here [PDF] says a snapshot three weeks after Heartbleed was disclosed, 87 per cent of certificates had yet to be reissued. There was also “a drastic decline in revocations on the weekends”: in other words, the combination of too much manual work and people actually having weekends off slowed down the response to the bug.

It's feasible that since the researchers collected their data, the certificates have indeed been revoked, but the concern the authors raise is that “if they do not eventually become revoked, 20 per cent of those certificates will remain valid … for two or more years”. ®