Does your website safe from Heartbleed Bug?
The Heartbleed bug is a severe OpenSSL vulnerability in the cryptographic software library.
This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.
Detailed information about Heartbleed bug can be found here.
In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.
Status of different OpenSSL versions:-
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
If you are using F5 to offload SSL – you can refer here to check if it’s vulnerable.
Heartbleed Testing Tools
Filippo – You can either test by domain name or IP address with secure port.
SSL Labs – Qualys have also included in their SSL scan tool to test if the given URL is vulnerable to the heartbleed attack.
OpenSSL – You can also test locally on a server using OpenSSL command as follows.
echo "QUIT"|openssl s_client -connect facebook.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe
Obviously, you are going to replace facebook.com:443 with your site.
Fixing is quite straightforward. There are two things you got to do to fix it.
- Upgrade OpenSSL to 1.o.1g or higher version.
- Regenerate the CSR using an upgraded version of OpenSSL and get it signed by a certificate authority. Once you receive the signed certificate, implement that on your respective web servers.
I hope this helps you.