On Monday, April 7th a major vulnerability “Heartbleed” was found in the popular OpenSSL cryptographic library, which is widely used with applications and web servers. The sites and services across the Internet are thus busy patching this vulnerability and updating the SSL certificates to protect their customers. As said, OpenSSL v1.0.1 through 1.0.1f (inclusive) are vulnerable and OpenSSL 1.0.1g released on 7th April, 2014 fixes this bug.
An excerpt from Heartbleed.com says,
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Check if your site or Android Phone is affected by the Heartbleed bug –
There are some services that can tell you whether the site that you’ve entrusted with your information was or is still vulnerable, and when its certificate was updated.
Filippo Valsorda’s Heartbleed test – filippo.io/Heartbleed
Enter a URL or a hostname to test your server for Heartbleed (CVE-2014-0160). You can specify a port like this
example.com:4433. 443 by default.
LastPass Heartbleed checker – lastpass.com/heartbleed
See if a site is vulnerable to Heartbleed. It shows the site’s server software, tells if it was vulnerable and if the SSL certificate is now safe and when were last created.
Chromebleed (Google Chrome extension)
Displays a warning if the site you are browsing is affected by the Heartbleed bug. It checks the URL of the page using Filippo’s service. Useful if you don’t wish to check the sites manually.
Mashable has compiled an interesting list of well-known sites stating their current status, as to whether they were affected, and whether you should change your password.
Heartbleed Detector for Android –
Android users can easily check if their Android device is vulnerable to the HeartBleed bug with a free app called “Heartbleed Detector” from Lookout Mobile Security. The app determines what version of OpenSSL is your device using. If your device is running one of the affected versions of OpenSSL, it then checks to see if the specific vulnerable behaviour is enabled or not.
However, if your device is vulnerable there is no necessary action you can take unless a patch is released by Google or your device manufacturer.
Leave a Reply