Very cool! Tested my site before and after a patch, and it recognized the fix. A quick UI tip: you should give some indicator while the test is running. I couldn't tell anything was happening while I waited. Even just a spinner gif of some kind.
I mentioned in another thread today that perhaps having the source code for script-kiddies to start attacking everything might not be the best thing to do at this time. I think it's great to just have a website like this to test the vulnerability. It would also be nice if someone like Google could host the page so it won't get knocked down by too many requests as I'm sure will be happening for the next few days.
I'll take my chances with one site having the list rather than open-sourcing it and having every script-kiddie dumping RAM out of all the sensitive systems of the interwebz.
(Sidenote: Bitcoin exchanges, please for the love of all that is good... don't start getting owned by this. UPDATE NOW)
Not quite as good though. The above will let just know whether you have the extension, but not whether you have the patched version, which can also be done from the CLI by using:
echo -e "quit\n" | openssl s_client -connect server.com:443 -tlsextdebug 2>&1 | grep heartbeat
(as suggested someone in another thread here). That will answer Yes to a patched OpenSSL.
The OP's site actually attempts a (mild?) exploit of this.
FYI, I tested herokuapp.com's SSL support. It reports as vulnerable. :(
On the bright side, since such servers are Heroku's inbound load-balancers, individual app dyno secrets in RAM probably aren't at risk. But, impersonating herokuapp.com, decoding its sessions, or viewing fragments of arbitrary other traffic through the same server may all be possible.
I have a bunch of servers on Ubuntu 12.04LTS. Did the test. Came back as vulnerable. Then did an apt-get upgrade, which upgraded a bunch of SSL services. Did the test again. Still vulnerable.
37 comments
[ 1.6 ms ] story [ 91.3 ms ] threadI'm also getting this error:
Other than that, great work @ars!
Loading bar implemented!
Any chance you would open source this?
I mentioned in another thread today that perhaps having the source code for script-kiddies to start attacking everything might not be the best thing to do at this time. I think it's great to just have a website like this to test the vulnerability. It would also be nice if someone like Google could host the page so it won't get knocked down by too many requests as I'm sure will be happening for the next few days.
(Sidenote: Bitcoin exchanges, please for the love of all that is good... don't start getting owned by this. UPDATE NOW)
https://gist.github.com/hlein/10121981
What, praytell, is a script kiddie going to do with that, other than oogle at the word "vulnerable"?
http://possible.lv/tools/hb/
(as suggested someone in another thread here). That will answer Yes to a patched OpenSSL.
The OP's site actually attempts a (mild?) exploit of this.
On the bright side, since such servers are Heroku's inbound load-balancers, individual app dyno secrets in RAM probably aren't at risk. But, impersonating herokuapp.com, decoding its sessions, or viewing fragments of arbitrary other traffic through the same server may all be possible.
Heroku reports they're aware and working on it: http://status.heroku.com
Also caching the results should also lighten the load on your server significantly since many people are probably checking common websites.
EDIT: Got it working by changing "github.com/titanous/heartbleeder/tls" to "./tls" and running "go run heartbleeder.go example.com"
Am I missing something?
What else should I do?
And then restart everything that comes back from a