Is .gr heartbleeding?

Introduction

Nothing would be more suitable to follow Part 1 of our research than Heartbleed. Although mass hysteria is not our thing, we have to admit, the bug was pretty ugly. So, given the circumstances we conducted a little survey on SSL in the .gr domain.

How many?

SSL is not very popular in Greece. Even when sensitive data are transmitted over the Internet, there are many websites that lack an HTTPS connection. Our most recent, and kind of ironic, example is the Computer Technology Institute (link) where the registration/login process which includes users’ Social Security number, VAT and ID numbers is conducted over plain HTTP (needless to say that the only thing that protects this sensitive information, your password, is sent via mail after the registration is complete…but that’s another story).

The scan began on 10/4/2014, 2 days after the release of the CVE. A survey by Errata Security showed that patching OpenSSL was conducted effective immediately on a worldwide scale during the first 24 hours after the announcement. Because we lack such data, it is not possible to estimate how many servers behind .gr domains where patched during the first day. However our research showed that currently there are more than 6.5k vulnerable domains out of ~60k that allow an SSL connection (Figure 1).

 

Figure 1

Figure 1

How many is too many?

Is 5.89% of the .gr domains a considerable amount? Our answer is yes. Why?
Most .gr domains point to shared hosting servers. This is probably the main reason why we discovered only 1260 valid SSL certificates. But Heartbleed’s memory disclosure will not make a discrimination. This means that if a site is vulnerable, it might leak information from other websites hosted on the same server. With a bit of information gathering (e.x reverse DNS lookups) and determination, an attacker might get his hands on valuable information.

Conclusion

Once again it would be very interesting to re-run the test after the buzz wears off . Meanwhile shared-hosted website owners should run the test for their site whether they are using SSL or not and notify their hosting companies if they ‘re still vulnerable.

 

Comments are closed.