Today, a paper titled The Matter of Heartbleed which examines the aftermath of the Heartbleed bug will be presented at the ACM Internet Measurement Conference (IMC) 2014. The paper was authored by Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicholas Weaver, David Adrian, Vern Paxson, Michael Bailey, and J. Alex Halderman.

Among other active and passive measurements, data from the ICSI SSL Notary was used for a few measurements in the paper.

Examining data from the Notary allowed us to witness pre-disclosure patching activity. The Notary stores information about the TLS extensions that are sent by the client as well as the server for each of the connections. This enabled us to go back into our data and check if a server supported the Heartbeat TLS extension. Notary data shows that Google started disabling Heartbeat support for its servers at least 12 days prior to public disclosure. Akamai started disabling the extension at least 4 days prior to disclosure.

In a second measurement, we examined how often servers changed certificates in the month directly proceeding Heartbleed, as well as in April 2014, when Heartbleed happened. To be more exact, we start our measurement at the 6th of March and the 6th of April, the day before the Heartbleed bug was published. We then track the number of servers that still serve the same certificate X days after the 6th. The resulting plot can be seen in the following figure.

graph

In total, for April, 47% of sites in the Notary still sent the same certificate that they sent before disclosure of the Heartbleed bug. In contrast, for the month of March, 85% of sites still sent the same certificate at the end of the month. This shows that a significant percentage of the sites which are accessed by the Notary user took action because of Heartbleed, especially in the light that a lot of the servers that did not change their certificates might not have been vulnerable.