Does your website safe from Heartbleed Bug?

The Heartbleed bug is a serious OpenSSL vulnerability in the cryptographic software library. This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.

Detailed information about Heartbleed bug can be found here.  In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.

Status of different OpenSSL versions:-

•   OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

•   OpenSSL 1.0.1g is NOT vulnerable

•   OpenSSL 1.0.0 branch is NOT vulnerable

•   OpenSSL 0.9.8 branch is NOT vulnerable

If you are using F5 to offload SSL – you can refer here to check if it’s vulnerable.

Heartbleed Test by Filippo

Scan online your web applications at http://filippo.io/Heartbleed/ You can either test by domain name or IP address with secure port.

SSL Server Test by Qualys

Qualys SSL labs have also included in their SSL scan tool to test if the server is vulnerable to the heartbleed attack. You can access SSL Server test at https://www.ssllabs.com/ssltest/

OpenSSL Command

You can also test locally on a server using OpenSSL command as following.

echo "QUIT"|openssl s_client -connect facebook.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe

Obviously, you are gonna replace facebook.com:443 with your DNS/IP address.

Reader Interactions

Comments

Your email address will not be published. Required fields are marked *