- If an EC2 Reserved Instance is not applied or used - Thu, Jan 20 2022
- Midnight Commander remote connect via Shell link (copy files over SSH) and SFTP link using FISH and public key authentication - Mon, Jan 17 2022
- Root login via SSH and SFTP on EC2 instances running Linux - Wed, Jan 12 2022
A few days ago, I recommended changing all the passwords you sent through HTTPS. The advice was a little premature, as many sites hadn’t yet installed the OpenSSL update. Even the security tip site malwaretips.com is still vulnerable to Heartbleed (at the time of this writing). Maybe someone should give the site owner a security tip.
I guess I was a bit naïve when I assumed that everyone would update their servers after the worst security flaw in the history of the Internet became publicly known. When reading a Help Net Security article about Trend Micro’s scanners for Chrome and Android, I noticed that quite a few sites out there must still be vulnerable.
Trend Micro Heartbleed Detector ^
I tried the Trend Micro Heartbleed Detector for Chrome, but I can’t really recommend it. You have to test every site manually by entering the URL, which is quite cumbersome. The plugin doesn’t add an icon to Chrome’s extension bar. Actually, I wonder how the plugin is supposed to be launched because it didn’t show up in my Chrome app list; the only way I found to start it was through the Chrome web store. The tool cuts off the end of the page because I changed the font size under Windows. So I could only infer from the color of the message box whether a site was vulnerable or not. Writing this really made my heart bleed because Trend Micro’s CTO, Raimund Genes, who is mentioned in the Help Net Security article, is an old buddy from high school times.
Trend Micro Heartbleed Detector
Chromebleed for Chrome ^
I then searched for better Chrome extensions and found Chromebleed. The plugin adds an icon to the Extension Bar. However, unlike with other Heartbleed extensions, the icon’s color doesn’t change when the Heartbleed bug is detected. Instead, the plugin displays a popup message at the lower right corner of the browser. The advantage of this method is that you will hardly miss the warning; the downside is that if, for some reason, the plugin doesn’t work properly, you won’t be notified at all. You can change the default setting of the add-on to also display a message for websites that are clean, but who really wants to see a popup message on every web page?
What I like about Chromebleed is that it displays a red heart in the Google search results. If you google often, you get a feeling for how many sites still have a bleeding heart.
Chromebleed in Google
Stopbleed for Chrome ^
Stopbleed can’t really stop the bleeding, but it displays a green icon for sites with a healthy heart. The plugin shows a red heart for sites that didn’t install the OpenSSL update. In addition, it can show the same popup messages as Chromebleed. It also marks Heartbleed sites in search results. Sites that are clean are highlighted as well.
Stopbleed - A vulnerable and a clean site
Stopbleed in Google
FoxBleed for Firefox ^
FoxBleed also uses the method with the icon. A filled red heart in the Add-on Bar warns of a Heartbleed site. If the inside of the heart is white, you know that the website’s heart is quite okay. The problem with this plugin is that the Add-on Bar in Firefox is at the bottom of the page. Thus, you can easily miss the notification.
FoxBleed - A vulnerable and a clean site
Heartbleed-Ext for Firefox ^
Heartbleed-Ext is a better choice for Firefox because it places the icon in the Navigation Toolbar. If a site is clean, it shows a green heart; if not, it shows a red heart. In addition, it displays a warning message below the Navigation Toolbar whenever it detects a domain that is vulnerable to the Heartbleed SSL bug.
Heartbleed-Ext – A clean site
Heartbleed-Ext – a vulnerable site
It can’t be wrong to run both Heartbleed-Ext and FoxBleed in Firefox. Two security monitors are better than one.
I tested a few other add-ons, but I didn’t include them in the list here because they didn’t reliably detect Heartbleed. For instance, Netcraft claims that the latest version of their toolbar for Chrome, Firefox, and Opera is able to warn you of Heartbleed sites. This didn’t work in my test. I launched one of my old servers that still had the OpenSSL bug, and the Netcraft toolbar didn’t notice it.
I also can’t recommend trying fxbleed for Firefox. The plugin didn’t display any results. Heartbleed Check for Chrome only works if you open a site through HTTPS. Many sites (including 4sysops) only use SSL in the background for authentication.
Quite a few websites exist that allow you to enter a URL to check if the site is vulnerable. I think I tried three or four that didn’t really work until I found this one, which seems to detect Heartbleed reliably.
And Internet Explorer? I didn’t find a Heartbleed extension for Microsoft’s browser. If you know of such a plugin or another good one for Firefox and Chrome, please post a comment below.