Many sites reusing Heartbleed-compromised private keys


Since the Heartbleed vulnerability in OpenSSL was announced on April 7, more than 30,000 TLS/SSL certificates have been revoked and reissued with the same keys, missing the whole point of the exercise.

Heartbleed allowed an attacker to determine an OpenSSL-based server's private keys, thus removing any data protection and allowing an attacker to masquerade as the server. This meant that, aside from updating their OpenSSL installation, sites had to revoke their old certificates and reissue new ones.That number comes from Netcraft's SSL survey, an ongoing research project studying TLS/SSL sites across the Internet.
According to Netcraft's survey (see Netcraft's Euler diagram below), 43 percent of sites have reissued their certificates since the appearance of Heartbleed. Seven percent of those have reissued them with the same private key. Only 14 percent have revoked and reissued with new keys, which is the full set of tasks necessary to prevent attack.
Overall, 20 percent have revoked their old certificate, a few without reissuing. Finally, five percent have revoked and reissued, but used the same keys as the earlier certificate.
hertbleed-euler-diagram6
Most certificate authorities are not automatically checking for key reuse. Tools, such as Netcraft's, can be used to determine if the problem exists on a particular site.