Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Test "secure" websites for Heartbleeds vulnerability

Comments

  • #2
    aidan_walsh
    Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    Whitehat or no, I would be interested to know the legal situation of running a tool like this against a site without permission.


  • #3
    Lou.m
    Closed Accounts Posts: 2,532 ✭✭✭Lou.m


    http://filippo.io/Heartbleed/

    here is one also


  • #4
    Impetus
    Registered Users Posts: 1,667 ✭✭✭Impetus


    aidan_walsh wrote: »
    Whitehat or no, I would be interested to know the legal situation of running a tool like this against a site without permission.

    Aside from the site's terms and conditions of use, and similar, the customer (of a site that has or might get) one's personal information must expect this type of testing especially from security conscious customers.

    The test I posted a link to, does not run the test on each request. If the test has been run within a certain period in the past, it simply shows the enquirer a copy of the test results.

    There are a lot of poorly configured sites on the internet many running out of date software, who need to be exposed in cases where personal information is involved.


  • #5
    Hotblack Desiato
    Registered Users Posts: 33,850 ✭✭✭✭Hotblack Desiato


    Impetus wrote: »
    The vulnerability does not affect Microsoft servers

    It does if the SSL connection terminates on a firewall or load balancer running a vulnerable version of OpenSSL, and these vendors won't be as quick to make patches available.

    It probably also affects most Linux desktops (clients).

    Most browsers don't use OpenSSL, Firefox doesn't. If you have a port open to the internet for incoming SSL connections then you're running a server and need to know how to secure it anyway. But normal desktop linux users have no need to worry AFAIK. All the major distros had a patch out very quickly so apply that and stop/restart sshd (or reboot) and you're covered anyway.

    Life ain't always empty.



  • #6
    Impetus
    Registered Users Posts: 1,667 ✭✭✭Impetus


    ninja900 wrote: »
    It does if the SSL connection terminates on a firewall or load balancer running a vulnerable version of OpenSSL, and these vendors won't be as quick to make patches available.

    It does not affect Microsoft servers. Period!

    It may affect a system which uses software which relies on OpenSSL. However I would have thought that this would not apply to a pure firewall which I presume just passes packets to the server - even if that firewall was Linux based. The only exception I can think of is a firewall that also has VPN functionality.


  • Advertisement
  • #7
    wil
    Registered Users Posts: 4,188 ✭✭✭wil


    A mass test of top 10,000 sites on 8th here
    https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt?_ga=1.258978186.1634633377.1397083000


  • #8
    Hotblack Desiato
    Registered Users Posts: 33,850 ✭✭✭✭Hotblack Desiato


    Impetus wrote: »
    It does not affect Microsoft servers. Period!

    It may affect a system which uses software which relies on OpenSSL. However I would have thought that this would not apply to a pure firewall which I presume just passes packets to the server - even if that firewall was Linux based. The only exception I can think of is a firewall that also has VPN functionality.

    It does affect Microsoft servers... Period! if their SSL connection terminates on a device running a vulnerable version of openSSL. The web server isn't vulnerable itself, but that's little consolation to the users once the private key is hacked.

    Life ain't always empty.



  • #9
    industrialhorse
    Registered Users Posts: 203 ✭✭industrialhorse


    Similar to ssllabs.com but gets to the point and made me almost lose my rag with about 20 mins left in work yesterday:(

    https://lastpass.com/heartbleed/


  • #10
    industrialhorse
    Registered Users Posts: 203 ✭✭industrialhorse


    ninja900 wrote: »
    It does affect Microsoft servers... Period! if their SSL connection terminates on a device running a vulnerable version of openSSL. The web server isn't vulnerable itself, but that's little consolation to the users once the private key is hacked.

    http://blogs.msdn.com/b/windowsazure/archive/2014/04/09/information-on-microsoft-azure-and-heartbleed.aspx


  • #11
    Rucking_Fetard
    Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Near 5 months later and still 250,000 servers affected.

    http://arstechnica.com/security/2014/08/heartbleed-is-the-gift-that-keeps-on-giving-as-servers-remain-unpatched/


  • Advertisement
  • #12
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    Not just servers.

    There is a helluva lot, a helluva lot! of wireless access points and other devices that are vulnerable and forgotten about - some which may never be patched.


  • #13
    Rucking_Fetard
    Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Heartbleed, 28 Weeks Later


Advertisement