About the Heartbleed problem

mr_write mr_write
Created: 4 years and 4 months ago • Updated: 4 years and 4 months ago
I was wondering if it was possible to check sites to see if they have updated to the latest SSL patch to fix the heartbeed problem.
I notice that Chrome has a plugin for this. If duckduckgo had an automatic test (much like the WOT warning) the bloggers could recommend DDG as a test for potential problems.

This forum has been archived

Thank you all for the many comments, questions and suggestions. Particular thanks go to user x.15a2 for constantly monitoring, replying and helping so many users here. To continue these discussions, please head over to the DuckDuckGo subreddit.


jbarrett
It would be great to get that sort of exposure, though I believe testing for the exploit means actually performing it, which opens up a serious can of worms legally and ethically.

Happy to hear differently from anyone.
posted by jbarrett Staff4 years and 4 months ago Link
x.15a2
There is a web site, not affiliated in any way with DDG, that performs a Heartbleed test:
http://filippo.io/Heartbleed/

I just submitted a !bang suggestion for this. I think if the search results page track too many security and vulnerability issues, the results might become obscured by all of the warning icons.
posted by x.15a2 Community Leader4 years and 4 months ago Link
mr_write
" I think if the search results page track too many security and vulnerability issues, the results might become obscured by all of the warning icons."

THAT is true. But the SSL heartbleed thing is something that all servers need to replace. Thus the need will disappear as it is fixed. I wasn't suggesting continuing the campaign to alert for all things, or even ongoing issues.
I just figures if Chrome can have it as an add-on, it would be a simple check.

I would be happy for !bang tool for it.
posted by mr_write 4 years and 4 months ago Link
anonymous
Couldn't this be done by checking what version of the host server software is?
Eg: apache x.xxx

...or am I being too simplistic?
posted by <hidden> • 4 years and 4 months ago Link
anonymous
Hmmm as far as I know it's the version of OpenSSL that matters ?

Not something you can get that much easily.

The Heartbleed test suggested by @x.15a2 is by far more reliable.

By the way, fixing the vulnerability is one thing. That doesn't mean some password/private keys or other sensitive data are not already compromised on that site.

In theory, some malicious hackers could have used that vuln for two years without leaving any trace whatsoever. So we can assume everything in the memory of the affected servers in the last two years could have been compromised. It is a very serious vuln.

Relevant XKCD 1: How it "works"
Relevant XKCD 2: How compromised are we ?
posted by <hidden> • 4 years and 4 months ago Link