The majority of sites that attempted to protect themselves against Heartbleed have ended up no better for it, while some are actually more vulnerable than before.

Following Heartbleed's reveal on 7 April, sites scrambled to patch their OpenSSL installations and revoke their old certificates. Now, data from a study conducted by Netcraft shows that many sites haven't done enough to fully protect themselves from the bug.

Some 30,000 sites revoked their old certificates but did not replace their private keys, according to Netcraft. If these keys had been compromised it renders replacing the certificates moot: having the key allows a hacker to decrypt sensitive information and perform man-in the-middle attacks.

Just 14 per cent of sites conducted all three steps needed to properly secure their servers replacing their certificates, revoking the old ones and changing their private keys. More than half (57 per cent) of sites originally vulnerable to Heartbleed attack have not revoked or reissued their SSL certificates. A further 21 per cent have reissued their certificates but not revoked the originals that may have been compromised.

The 30,000 sites that revoked their certificates but not their private keys represent about five per cent of sites vulnerable to Heartbleed, says Netcraft. Worse, though, is the 20 per cent of servers vulnerable today that were not when the bug was uncovered. Their owners rushed to protect their systems and replaced their secure certificates with flawed ones, said Yngve Pettersen at Vivaldi.