Heartbleed - Still Breaking Hearts

Scott Calonico

heartbleed iconThe initial furor over the Heartbleed Web vulnerability has now died down, but the aftermath is far from over. For example, on May the 5th, weeks after Heartbleed was discovered, Microsoft released a patch for a third party VPN client used in Windows 8.1.

So, while most of the big names have now patched the vulnerability and moved on, there are still plenty of websites out there that have been left in an insecure state.

If you want proof of this, download the Chromebleed plugin for Google Chrome, and perform a few Web searches. Chromebleed adds a Heartbleed logo to any site in the search results that remains vulnerable. Once you install the plugin, you’ll soon begin to build a picture of just how many sites out there still haven’t been patched.

Of course, Chromebleed’s sole purpose is to alert you to sites that may be vulnerable while you’re browsing the Web. If you run an MSP business, your main priority should be all the sites and services, both locally and in the cloud, which you are responsible for on behalf of your clients.

As time goes by, companies that are still vulnerable to Heartbleed are going to look more and more conspicuous. Tools like the aforementioned Chromebleed are really easy to install, and news of them is traveling fast; Chromebleed has been downloaded nearly 300,000 times already.

Once a user has such a tool installed, they are immediately alerted when they browse to a site that’s still affected, leaving them with a negative view of the company in question and their perceived “lax” approach to IT security.

Of course, from an MSP point of view, the priority is rather different. An opportunity exists to offer Heartbleed assessments to all clients, and the “marketing” is already being done for you thanks to high-profile news reports.

So, if you haven’t already, get out there and start making sure none of your client systems are still vulnerable. If any of them get a call from a customer saying “Chromebleed has just told me your site is unsafe” you can be pretty sure who they’re going to call – so make sure you get there first.