Co-authored by meatwad and @bl4ckt0ts
In the context of the OpenSSL Heartbleed vulnerability we started to scan the whole IPv4 Internet. The goal was to understand how many machines were impacted but also to measure the rate at which vulnerable systems are patched.
The OpenSSL library is broadly used to provide SSL and TLS support. For example, mod_ssl is an interface to OpenSSL for Apache HTTP Server to serve web pages over HTTPS. Another example is courier-IMAP, which is also able to rely on OpenSSL to deliver IMAP over SSL services.
For that exercise we focus on looking for HTTPS servers vulnerable to Heartbleeed. We thus scanned four days in a row the whole routable IPv4 Internet on port 443. Every time the port was open, we initiated an HTTPS handshake. Upon success, we checked the service for the Heartbleed vulnerability by sending a heartbeat packet with a crafted size. That allowed us to spot vulnerable systems.
What we found is that there are around 30 million machines answering to HTTPS requests on port 443. Of these 30 million, about 1.5 million are vulnerable to Heartbleed.
| 2014-04-10 | 2014-04-11 | 2014-04-12 | 2014-04-13 | |
|---|---|---|---|---|
| Successful HTTPS | 29’577’960 | 29’340’845 | 28’985’946 | 29’030’377 |
| Vuln to Heartbleed | 1’762’470 | 1’598’619 | 1’501’848 | 1’465’879 |
The good news is that sys admins were patching, even over the weekend :)
The bad news is that if the patching rate does not increase, we’ll never have a Heartbleed-free Internet. Let see how it’s going to evolve over the next few days.
Edit: The graph scale was changed to go down to zero.
Kudelski Security Research 
I’d put the bottom of the y axis at 0. Makes it easier to see how (in)significant the decrease is.
Thanks for your comment, I updated the graph accordingly.