Censys Blog

Heartbleed Bug Health Report

April 7, 2014

The Heartbleed Bug is a vulnerability in the OpenSSL cryptographic library that allows attackers to invisibly read sensitive data from a web server. This potentially includes cryptographic keys, usernames, and passwords. More information and frequently asked questions can be found in the initial disclosure.

UPDATE We have published our comprehensive analysis of the Heartbleed Vulnerability, The Matter of Heartbleed. The work will be formally presented at the ACM SIGCOMM Internet Measurement Conference (IMC'14) on November 7, 2014 in Vancouver, Canada. This analysis provides updated information that supersedes this website.

Who is Vulnerable?

In order to track who is vulnerable to the Heartbleed Bug, we have been performing comprehensive scans of the IPv4 address space using ZMap and regularly checking on the status of the Alexa Top 1 Million domains. As of 4:00 PM EDT on Wednesday, April 16, 2014, we found that 45% of the Alexa Top 1 Million websites support TLS. Of the websites that support HTTPS, 5.2% are vulnerable, 32% safely support the heartbeat extension, and 63% do not support the heartbeat extension (and are therefore safe). Information on popular websites that were impacted, but are no longer vulnerable can be found on Mashable's The Heartbleed Hit List: The Passwords You Need to Change Right Now. If you are concerned that a specific website is vulnerable, you can test that website using the Qualys SSL Server Test. If you are a Systems Administrator, the EFF has published Heartbleed Recovery for System Administrators with information on how to protect services.

UPDATE (4/11/14 10:00 PM EDT) There is now evidence available that indicates that it is possible to extract private keys from the web servers that were impacted by the Heartbeat Vulnerability. We have published a list of the first time each website's certificate was first seen in the wild. Unfortunately, it appears that close to 25% of the top 1,000 websites running software potentially impacted by the Heartbeat Vulnerability are using certificates from before April 1st, 2014.

UPDATE (4/13/14 1:00 PM EDT) Most of the attention surrounding the Heartbeat Vulnerability has focused on web servers that utilize OpenSSL. However, many other types of services utilize TLS and OpenSSL to encrypt sensitive communication including mail, instant messaging, and voice-over-IP (VoIP). We have begun to scan for vulnerable SMTP, IMAP, and POP3 servers. Approximately 7.6% of the mail servers hosted at mail.domain and smtp.domain for the Alexa Top 1 Million still remain vulnerable.

UPDATE (4/14/14 6:00 PM EDT) On Monday afternoon, it was brought to our attention that several safe mail servers were incorrectly listed as vulnerable in one of our recent scans. We have since located the error and have posted updated results. We thank Scott Thorson for bringing this to our attention.

Full scans of HTTPS for the complete IPv4 address show that approximately 4.9% of all hosts that support HTTPS remain vulnerable. 6.0% support heartbeat messages, but are not vulnerable, and 89.1% of HTTPS hosts do not support heartbeat. In total, approximately 1.4 million web servers remain vulnerable. We are not releasing full Internet-wide scans at this time.

Historical Trend of Vulnerable HTTPS Enabled Alexa Top 1 Million Websites

Are there Active Attacks?

We have observed a small number of hosts scanning for the vulnerability. However, it is difficult to discern the intent of these scanners. While it is possible that attackers are looking for hosts to compromise, it is also possible that these scans are being run by researchers.

UPDATE (4/10/14 7:30 PM EDT): We have historical data on HTTPS connections from one off-the-beaten-path IP address since November 22, 2013. We observed the first scan attempt to exploit the vulnerability on 2014-04-09 at 00:23 UTC from (an address in China associated with malicious activities). We saw a second attempt to exploit the vulnerability on 2014-04-10 at 02:04 GMT and again at 02:58 UTC from the IP address (an Amazon EC2 instance). Since our honeypot address is not a major site, we suspect that these attack attempts were part of Internet-wide exploit attempts. We didn't observe any such wide-scale attacks prior to the public announcement of the bug. However we cannot rule out that the possibility that there were earlier targeted attacks against specific sites.

UPDATE (4/15/14 2:00 PM EDT): We have observed 41 unique hosts scanning for and attempting to exploit the Heartbeat Vulnerability. These attacks were discovered on three out-of-the-way honeypots that we are maintaining. Of these 41 hosts, 59% were located in China and accounted for 45% of the attacks. The first probe we detected was at 1539 GMT on April 8, 2014. Given that our honeypots are hosted on out-of-the-way hosts and not on a major website, it is most likely that these hosts were performing comprehensive scans or scans of a large sample of the Internet. The most data that was retrieved by a single scanner was 300 KB.

Who is behind this research?

This report has been generated by computer scientists at the University of Michigan including Zakir Durumeric, David Adrian, Michael Bailey, and J. Alex Halderman. The team can be contacted at heartbleed@umich.edu.