Renego: Popular, unpatched and vulnerable, an update
By Yngve Nysæter Pettersenyngve. Thursday, June 9, 2011 8:51:03 AM
The week after we tested a much larger sample of servers, ending with 1.66 million tested servers (compared to the 590,000 the previous article was based on), after the list of servers was updated with names from the EFF SSL Observatory's "Valid names" list and more names from the Alexa list.
The result is a much better impression of what the current state of affairs of the Renego problem.
Below is a graph of how the Renego patch coverage varies between the various Alexa groups, for two sets of site, the 375,000 sites that was part of the tests since we started we see these numbers, and the large run we did two weeks ago:
As you can see, the difference between the Alexa site and non-Alexa sites was fairly big in the old set, but it is even larger when using the bigger test-set -- 9.3 precentage points, an 18% relative difference.
However, the larger set did improve the statics for the Alexa Top 100, probably due to the general increase in the number of hostnames.
The reason for the difference is most likely the relatively limited number of hostnames and name variations (7) used in the original list. The new list includes a lot of new name variations (150, or more) of the Alexa list, as well as a lot of new hosts from the EFF list.
Among the unpatched sites, the vulnerability rates varied from 56% for Non-Alexa sites, to 62% for the Alexa top-100.
All of this, unfortunately, only serves to further indicate that the popular sites, with some exceptions such as Google, has avoided not just patching this problem, but also any attempt to mitigate it, while less popular sites are much more on the ball when it comes to patching.