Is your website safe from Heartbleed Bug?
The Heartbleed bug is a severe OpenSSL vulnerability in the cryptographic software library. This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.
Detailed information about the Heartbleed bug can be found here.
In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.
Status of different OpenSSL versions:-
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
If you are using F5 to offload SSL – you can refer here to check if it’s vulnerable.
Heartbleed Testing Tools
One of the popular SSL Server Test by Qualys scan the target for more than 50 TLS/SSL related known vulnerabilities, including Heartbleed. On the test result page, you should see something like below.
TLS Scanner by Geekflare lets you quickly test your website for misconfiguration and common security flaws.
If you are testing internal sites or don’t want to use a cloud-based scanner, then you can use OpenSSL. The following command should help you with that.
echo "QUIT"|openssl s_client -connect facebook.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe
[[email protected] ~]# echo "QUIT"|openssl s_client -connect geekflare.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe safe [[email protected] ~]#
You are going to replace geekflare.com:443 with your site.
Fixing is quite straightforward. There are two things you got to do to fix it.
- Upgrade OpenSSL to 1.o.1g or higher version.
- Regenerate the CSR using an upgraded version of OpenSSL and get it signed by a certificate authority. Once you receive the signed certificate, implement that on your respective web servers or edge devices.
I hope this helps you.
More great readings on Security
Protect Your Web Applications and APIs with G-Core Labs WAFAmrita Pathak on June 10, 2022
Create an Incident Report in Minutes With These TemplatesSatish Shethi on June 6, 2022
Software Composition Analysis (SCA): Everything You Need to Know in 2022Amrita Pathak on May 26, 2022
Best On-premise Password Manager for Your Business – PassworkHitesh Sant on June 1, 2022
How to Scan and Fix Log4j Vulnerability?Amrita Pathak on May 10, 2022
How to Protect Your WordPress Site with iThemes Security ProHitesh Sant on May 7, 2022
Join Geekflare Newsletter
Every week we share trending articles and tools in our newsletter. More than 10,000 people enjoy reading, and you will love it too.