Last week, the most deadly internet bug was discovered and this vulnerability shook the foundations of the Internet, but now you can start to breathe a little easier. But don’t chill back just yet.
Based on the Internet security firm Sucuri a blog post on Thursday, the company has done a systematic scan of the top million sites on the Internet as determined by Amazon’s Alexa, and according its CTO Daniel Cid, there’s mostly good news, but also some not so good news.
The Safe sites
The results show that the top 1000 sites on the Web are safe. (Check them out here Top 500 here.) These include sites you use on a daily basis like Google, Facebook, Youtube, Pinterest, Wikipedia, Twitter, LinkedIn and Bing. All have been modified, their certificates and keys recreated, and can be used, but you should probably change your passwords to be on a safer side.
On a brighter note, among the 10,000 sites, only 53 were found to still be vulnerable. Sucuri refuses to reveal who they are, though statistically speaking you stand a pretty good chance of not encountering a site that’s still vulnerable unless u visit the most weird sites.
2% of the top 1 million sites are still unsafe
So now the bad news, the company says that many — about two percent — of the of top million sites are still vulnerable. That works out to more than 20,000 sites if you count in numbers. The principle is simple the more popular a site, the more likely it is to have been fixed. No culprits have been identified yet. Just to be on a safe side you can check on these things yourself, you using the Heartbleed test site here to see if a site you use is fixed or not.
Where it all began
The Heartbleed bug emerged last week and it takes advantage of a flaw in OpenSSL, the security software used by about two-thirds of the sites on the Internet, and permits an attacker to randomly scoop up samplings of whatever data happens to be sitting in a computer’s memory. It can pick up lots of data like user names and passwords or other sensitive data. Attackers can also use it to steal certificate keys for servers, and can pose as a legitimate server and trick users into giving up their user names and passwords.