Heartbleed: 200,000 websites still vulnerable to OpenSSL security flaw

Shodan search engine reveals that many systems remain unpatched for OpenSSL bug

Almost 200,000 websites and connected systems remain vulnerable to the 'Heartbleed' OpenSSL bug, more than two-and-a-half years after the security flaw was discovered.

That's according to the Shodan Report 2017, based on scans conducted by the search engine that enables used to scour the internet for specific types of computers.

The systems will be wide open to a range of exploits that have been around almost since the bug was first publicised.

The US is far out in front with 42,032 systems still vulnerable, according to Shodan, followed by South Korea with 15,380, China with 14,116, Germany with 14,072 and France with 8,702. The UK has some 6,491 systems and servers vulnerable to Heartbleed connected to the internet.

And the organisations hosting the most vulnerable systems include South Korea's SK Broadband and Amazon. Approximately 75,000 of the vulnerable connected systems are using expire SSL certificates and running ageing versions of Linux.

Heartbleed is a security flaw in the open-source OpenSSL cryptography library, widely used in implementations of the Transport Layer Security (TLS) protocol. The flaw was reported to the OpenSSL developers on 1 April 2014, publicly disclosed on 7 April 2014, with a fix released the same day.

However, many organisations have been slow to patch their systems accordingly. Many may not even know that the software they're running uses the OpenSSL library. Other TLS implementations are not affected by the flaw.

Indeed, just months after the flaw was discovered, Shodan found that 300,000 systems remained vulnerable. That was in June 2014.

Shodan is a search engine that enables users to find specific types of devices connected to the internet using a variety of filters.

Shodan collects data mostly on web servers (HTTP/HTTPS - port 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), SIP (port 5060),[2] and real-time streaming protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.

It was launched in 2009 by computer programmer John Matherly who, in 2003, conceived the idea of a search engine that could search for devices linked to the Internet, as opposed to information. The name Shodan is a reference to a character from the System Shock computer games.