We found that the vast majority of vulnerable certificates have not been reissued; further, of those domains that reissued certificates in response to Heartbleed, 60% do not revoke their vulnerable certificates. If they do not eventually become revoked, 20% of those certificates will remain valid (not expire) for two or more years. The ramifications of this findings are alarming: modern Web browsers will remain potentially vulnerable to malicious third parties using stolen keys to masquerade as a compromised site for a long time to come. We analyzed these trends with vulnerable Extended Validation (EV) certificates, as well, and have found that, while they exhibit better security practices, they still remain largely not reissued (67%) and not revoked (88%) even weeks after the vulnerability was made public.
Our data is provided by Rapid7, who generously makes (roughly) weekly full IPv4 HTTPS scans. The data can be downloaded from the University of Michigan Internet Scans Repository. For this study, we use the scans between October 30, 2013 and April 28, 2014.
We filter the SSL certificates to only consider those that advertise a Common Name in the Alexa Top 1 Million domains.
To determine if a host is running a version of OpenSSL that was likely vulnerable in the past, we conduct our own scan. Please use the Contact Us link if you need access to this data set.
For each Alexa-domain-advertising certificate we encounter, we validate the certificate's chain using openssl verify. For certificate chains that were advertised in the past, we use the Faketime library in combination with OpenSSL.
We place all 628,692 valid, Alexa-domain-advertising certificates we find into a SQLite database. This database can be downloaded from this link (552 MB). There are a number of tables in this database, which are briefly described below.