Does your website safe from Heartbleed Bug?
The Heartbleed bug is a serious OpenSSL vulnerability in the cryptographic software library. This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.
Detailed information about Heartbleed bug can be found here. In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.
Status of different OpenSSL versions:-
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
• OpenSSL 1.0.1g is NOT vulnerable
• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable
Heartbleed Test by Filippo
Scan online your web applications at http://filippo.io/Heartbleed/ You can either test by domain name or IP address with secure port.
SSL Server Test by Qualys
Qualys SSL labs have also included in their SSL scan tool to test if the server is vulnerable to the heartbleed attack. You can access SSL Server test at https://www.ssllabs.com/ssltest/
You can also test locally on a server using OpenSSL command as following.
echo "QUIT"|openssl s_client -connect facebook.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe
Obviously, you are gonna replace facebook.com:443 with your DNS/IP address.