Back
Security

How big is the impact of the OpenSSL vulnerability on the web?

Mathijs Baas
  • 6 months ago
  • 1 min read

On 15 March, OpenSSL published that versions 1.0.2, 1.1.1, 3.0.0 and 3.0.1 contain a vulnerability of high severity. The vulnerability, also known as CVE-2022-0778, creates the possibility of starting Denial-of-Service attacks on clients and TLS servers. According to our data, there are currently 1,607,496 domains that are using OpenSSL.

OpenSSL is an open-source toolkit for general-purpose cryptography. It’s one of the most widely used softwares for the encryption of web traffic and it’s also being used in numerous applications. In 2012, OpenSSL suffered from a bug called “Heartbleed” which showed the significance of vulnerabilities within OpenSSL. With Heartbleed, a malicious user could easily trick a vulnerable web server into sending sensitive information, including usernames and passwords. 

While CVE-2022-0778 doesn’t allow tampering with sensitive data, could its impact be as significant as Heartbleed’s? Luckily, only 0.4% of the domains that have this information publicly available run the versions that have this vulnerability. Below you see a graph of the mutual distribution of vulnerable OpenSSL versions.

Luckily, only 0.4% of the domains that have this information publicly available run the versions that have this vulnerability. Above you see the mutual distribution of vulnerable OpenSSL versions.