Is your website safe from Heartbleed Bug?
The Heartbleed bug is a severe OpenSSL vulnerability in the cryptographic software library. This allows exposing sensitive information over SSL/TLS encryption for applications like web, email, IM, and VPN.
Detailed information about the Heartbleed bug can be found here.
In this article, I will talk about how to test if your web applications are heartbleed security vulnerable.
Status of different OpenSSL versions:-
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
If you are using F5 to offload SSL – you can refer here to check if it’s vulnerable.
Heartbleed Testing Tools
One of the popular SSL Server Test by Qualys scan the target for more than 50 TLS/SSL related known vulnerabilities, including Heartbleed. On the test result page, you should see something like below.
TLS Scanner by Geekflare lets you quickly test your website for misconfiguration and common security flaws.
If you are testing internal sites or don’t want to use a cloud-based scanner, then you can use OpenSSL. The following command should help you with that.
echo "QUIT"|openssl s_client -connect facebook.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe
[root@lab ~]# echo "QUIT"|openssl s_client -connect geekflare.com:443 2>&1|grep 'server extension "heartbeat" (id=15)' || echo safe safe [root@lab ~]#
You are going to replace geekflare.com:443 with your site.
Fixing is quite straightforward. There are two things you got to do to fix it.
- Upgrade OpenSSL to 1.o.1g or higher version.
- Regenerate the CSR using an upgraded version of OpenSSL and get it signed by a certificate authority. Once you receive the signed certificate, implement that on your respective web servers or edge devices.
I hope this helps you.