Newsletters
News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
GET RECOGNIZED.
Let an ISACA® certification
elevate your career.

Register today and save
World Wide Web
DDoS Protection Powered By Verisign
Average Rating:
Rate this article:  
Where Do Web Sites Stand, Post-Heartbleed?

Where Do Web Sites Stand, Post-Heartbleed?
By Barry Levine

Share
Share on Facebook Share on Twitter Share on Linkedin Share on Google Plus

A scan of the top 1 million Web sites found that none of the top 1,000 sites were vulnerable to the Heartbleed OpenSSL bug, and only 0.53 percent of the top 10,000, 1.5 percent of the top 100,0000 and 2 percent of the top 1 million were vulnerable, according to the security firm Sucuri Security.
 


Fallout and followup continue from Heartbleed, the vulnerability recently discovered in some versions of the widely used OpenSSL encrypting software. Some reports indicate that the vast majority of Web sites have patched themselves, and there are some questions being asked about the overall reliability of open-source programs.

Security firm Sucuri Security has scanned the top million Web sites for Heartbleed vulnerability. In a posting last week on its corporate blog, Sucuri said it found none of the top 1,000 sites vulnerable, only 0.53 percent of the top 10,000, 1.5 percent of the top 100,0000 and 2 percent of the top 1 million.

But Avivah Litan, a security analyst with industry research Gartner, told us she was "not so convinced" that only a tiny percentage remain vulnerable.

23 Percent

She pointed particularly to financial-sector sites, which, she said, "owe it to consumers" to let them know if they need to change their passwords or if all is OK. In addition, she pointed out, "thousands of community banks rely on service providers," and their status is similarly unclear.

Overall, Litan said she was "actually very disappointed" with the response by many sites in making their status clear, especially those that conduct financial transactions.

A poll by the Huffington Post and YouGov found that only 23 percent of responding Web users have checked to see if the Web sites they use have been affected by the bug. Slightly more than 38 percent have changed their passwords.

Meanwhile, the fallout includes some hits on whether open-source software is up to the task of providing solutions for key infrastructure. Some observers are noting that the OpenSSL Software Foundation, tasked with overseeing OpenSSL, is run by two full-time employees, a handful of volunteers, and a small budget.

'You Get What You Pay For'

Additionally, the bug became part of the code about two years ago, so it's taken that long for the error to be discovered. In fact, Steve Marquess, president of the OpenSSL Foundation, said in a recent open letter that "the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn't happened more often."

There are also reports that Google knew about the vulnerability a fair amount of time before it became widely known. According to the time stamp on the patch file that Google developed and sent to OpenSSL for distribution, the tech giant developed and implemented the patch internally more than a week before it notified OpenSSL about the issue.

One question that is being raised is whether a key piece of software that is used on the sites of Amazon, Yahoo, the FBI, Android smartphones and in the software of U.S. military weapons systems, among many other implementations, should be developed and maintained by an open-source community.

Gartner's Litan told us that, with open source, "at least it's transparent," which she said was more than could be said for many commercial software packages where the source code is not available and bugs may not be publicized. Commercial software companies, she pointed out, "have no obligation to report their vulnerabilities."

On the other hand, she noted that there's the principle of "you get what you pay for," and that there's an argument against using open-source software for critical infrastructure.
 

Tell Us What You Think
Comment:

Name:

Ian Coutts:

Posted: 2014-04-22 @ 12:22am PT
Do we really get what we pay for? We've all paid Microsoft for the privilege of using their OS's, and all we get are fixes for problems that have already been found. No prevention.

The open source community also fixes problems that have already been found.

Tell me again why we should pay Microsoft?

Tim James:

Posted: 2014-04-21 @ 4:04pm PT
I don't understand how hiding software from view will help. By the very fact that the software was in plain sight is why it was found. How is not allowing me to inspect a house before I buy it making me safer? Some people are absolute morons.

Tony:

Posted: 2014-04-21 @ 3:54pm PT
This seems like it is just an attack on open source. I think I will take my laptop running Linux that doesn't need to restart when i do updates, and I will move my start button, and when I have problems with it I will Google it and find a solution, or even edit the source to create a solution.

A quick comparison of open source, and proprietary solutions in a data center example is pretty startling. Beginning at the time of purchase, the price tag its obvious enough open source is a "cheaper" solution. Next installation, with open source you could do "yum install openssl" done, with others you would search the web for that application, purchase it download an installer, install it, add the product key. Updates are also different, open source I can do "yum -y update" and update everything on the server, and not need to restart. While on proprietary systems an update only updates that specific software and needs repeated on each piece of software differently, and when completed many times requires a restart.

Also a quick list of things that run open source pieces of software. Chances are your cable box, wireless router, applications on your computer including chrome, notepad++, the phone system that you call when you call a company, most websites, your car, your phone, some keyboards, a plurality of the worlds supercomputers.

Fun fact Microsoft uses open source servers instead of thier own in many of their data centers.

The devs that do openssl don't do it for free, they do get paid, by donations, so I offer a counter proposal: donate to openssl so that they can afford to implement new features, and fix security holes.

GreedRules:

Posted: 2014-04-21 @ 3:04pm PT
"you get what you pay for" and "open vs closed" source are two different issues. With the same, scanty amount of investment, closed source software would have fared much worse and the incident would have likely been sweeped under the carpet. Open source ensures that it is *possible* to properly review and test the code independently. Whether it is done or not is a matter of resources / money. The problem here is that users are not willing to pay for open source the same amount of money they are willing to pay for closed source, even if a higher percentage of money paid into open source foundations goes to actual software development, vs the profit margin and the administrative inefficiencies of traditional software corporations.
Give open source half the budget of its closed source competitors and you will see a much different result.

Annoyed:

Posted: 2014-04-21 @ 2:53pm PT
Where's the substance? Could you at least inform us of the 0.53% or 2% that remain vulnerable?



Salesforce.com is the market and technology leader in Software-as-a-Service. Its award-winning CRM solution helps 82,400 customers worldwide manage and share business information over the Internet. Experience CRM success. Click here for a FREE 30-day trial.


 World Wide Web
1.   Google Buys Contextual Image Startup
2.   Google IPO Began Decade of Big Bets
3.   Assange Talks of Leaving Embassy
4.   Russian Hacker To Be Held Until Trial
5.   Police: Be Careful What You Tweet


advertisement
OkCupid Experiments with Daters
Unethical without user consent?
Average Rating:
Russian Hacker To Be Held Until Trial
Prosecutors fear he would flee country.
Average Rating:
Google IPO Began Decade of Big Bets
And Larry Page wants to push further.
Average Rating:


advertisement
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Chinese Hackers Nab Info on Millions of U.S. Patients
A group of Chinese hackers has stolen the personal information, including names and Social Security numbers, of about 4.5 million patients at hospitals operated by Community Health Systems.
 
Premier FBI Cybersquad in U.S. To Add Agents
After helping prosecutors charge Chinese army officials with stealing trade secrets from major companies and by snaring a Russian-led hacking ring, the premier FBI cyber-squad is getting a boost.
 
Apple Opens iCloud Data Center in China
Treading lightly, Apple acknowledged it has started to store encrypted iCloud personal data of some Chinese users on servers in mainland China, operated by the state-owned China Telecom.
 

Enterprise Hardware Spotlight
Compression, Deduplication Come to Violin Concerto 2200
Violin Memory has announced that data deduplication and compression capabilities are now available on its Concerto 2200 solution. Typically, users will experience deduplication rates between 6:1 and 10:1.
 
Cisco Axes 6,000 Employees in Restructuring Plan
Faced with declining profits, Cisco is laying off up to 6,000 employees in the months ahead -- a whopping 8 percent of its global workforce. That's in addition to the 4,000 jobs Cisco cut last year.
 
Web Slows, Have Internet Routers Reached The Limit?
If you encountered problems connecting to the Internet on August 12, you weren't alone. Networking experts blame the wide-scale slowdown on outdated routing systems that are reaching their limits.
 

Mobile Technology Spotlight
HTC Debuts Windows Phone Version of One M8 Smartphone
HTC is bringing the Windows Phone mobile OS to its flagship One M8 device -- the first time any mainstream flagship smartphone has been offered with a choice of operating systems.
 
Verizon Earns Top Rating in Mobile Network Comparison
A new report says Verizon Wireless was the top-performing U.S. cellphone service provider in the first half of 2014, on a nationwide and state-by-state basis, as well as in metro areas.
 
Sprint Comes Out with Data Guns Blazing
As its new CEO promised, Sprint has rolled out a new aggressively competitive price plan. The shared data plans promise twice the high-speed data and at lower prices than AT&T and Verizon Wireless.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.