I tried a couple of plugins that claim to detect the Heartbleed vulnerabilities on websites that haven’t yet updated OpenSSL. Not all of them really worked.

A few days ago, I recommended changing all the passwords you sent through HTTPS. The advice was a little premature, as many sites hadn’t yet installed the OpenSSL update. Even the security tip site malwaretips.com is still vulnerable to Heartbleed (at the time of this writing). Maybe someone should give the site owner a security tip.

I guess I was a bit naïve when I assumed that everyone would update their servers after the worst security flaw in the history of the Internet became publicly known. When reading a Help Net Security article about Trend Micro’s scanners for Chrome and Android, I noticed that quite a few sites out there must still be vulnerable.

Trend Micro Heartbleed Detector ^

I tried the Trend Micro Heartbleed Detector for Chrome, but I can’t really recommend it. You have to test every site manually by entering the URL, which is quite cumbersome. The plugin doesn’t add an icon to Chrome’s extension bar. Actually, I wonder how the plugin is supposed to be launched because it didn’t show up in my Chrome app list; the only way I found to start it was through the Chrome web store. The tool cuts off the end of the page because I changed the font size under Windows. So I could only infer from the color of the message box whether a site was vulnerable or not. Writing this really made my heart bleed because Trend Micro’s CTO, Raimund Genes, who is mentioned in the Help Net Security article, is an old buddy from high school times.

Trend Micro Heartbleed Detector

Trend Micro Heartbleed Detector

Chromebleed for Chrome ^

I then searched for better Chrome extensions and found Chromebleed. The plugin adds an icon to the Extension Bar. However, unlike with other Heartbleed extensions, the icon’s color doesn’t change when the Heartbleed bug is detected. Instead, the plugin displays a popup message at the lower right corner of the browser. The advantage of this method is that you will hardly miss the warning; the downside is that if, for some reason, the plugin doesn’t work properly, you won’t be notified at all. You can change the default setting of the add-on to also display a message for websites that are clean, but who really wants to see a popup message on every web page?

Chromebleed

Chromebleed

What I like about Chromebleed is that it displays a red heart in the Google search results. If you google often, you get a feeling for how many sites still have a bleeding heart.

Chromebleed in Google

Chromebleed in Google

Stopbleed for Chrome ^

Stopbleed can’t really stop the bleeding, but it displays a green icon for sites with a healthy heart. The plugin shows a red heart for sites that didn’t install the OpenSSL update. In addition, it can show the same popup messages as Chromebleed. It also marks Heartbleed sites in search results. Sites that are clean are highlighted as well.

 Stopbleed - Vulnerable siteStopbleed - Clean site

Stopbleed - A vulnerable and a clean site

Stopbleed in Google

Stopbleed in Google

FoxBleed for Firefox ^

FoxBleed also uses the method with the icon. A filled red heart in the Add-on Bar warns of a Heartbleed site. If the inside of the heart is white, you know that the website’s heart is quite okay. The problem with this plugin is that the Add-on Bar in Firefox is at the bottom of the page. Thus, you can easily miss the notification.

Foxbleed - A clean siteFoxbleed - A vulnerable site

FoxBleed - A vulnerable and a clean site

Heartbleed-Ext for Firefox ^

Heartbleed-Ext is a better choice for Firefox because it places the icon in the Navigation Toolbar. If a site is clean, it shows a green heart; if not, it shows a red heart. In addition, it displays a warning message below the Navigation Toolbar whenever it detects a domain that is vulnerable to the Heartbleed SSL bug.

Heartbleed-Ext – A clean site

Heartbleed-Ext – A clean site

Heartbleed-Ext – A vulnerable site

Heartbleed-Ext – a vulnerable site

It can’t be wrong to run both Heartbleed-Ext and FoxBleed in Firefox. Two security monitors are better than one.

I tested a few other add-ons, but I didn’t include them in the list here because they didn’t reliably detect Heartbleed. For instance, Netcraft claims that the latest version of their toolbar for Chrome, Firefox, and Opera is able to warn you of Heartbleed sites. This didn’t work in my test. I launched one of my old servers that still had the OpenSSL bug, and the Netcraft toolbar didn’t notice it.

I also can’t recommend trying fxbleed for Firefox. The plugin didn’t display any results. Heartbleed Check for Chrome only works if you open a site through HTTPS. Many sites (including 4sysops) only use SSL in the background for authentication.

Quite a few websites exist that allow you to enter a URL to check if the site is vulnerable. I think I tried three or four that didn’t really work until I found this one, which seems to detect Heartbleed reliably.

And Internet Explorer? I didn’t find a Heartbleed extension for Microsoft’s browser. If you know of such a plugin or another good one for Firefox and Chrome, please post a comment below.

3 Comments
  1. Soeren P 9 years ago

    “I think I tried three or four that didn’t really work until I found this one, which seems to detect Heartbleed reliably.”
    The URL on >this one< must be wrong, points to http://www.iegallery.com/Search?q=heartbleed

  2. Michael Pietroforte 9 years ago

    Soeren, thanks a lot for the hint. I corrected the link now.

  3. Soeren P 9 years ago

    Thank you, and thanks a lot for a great site. Allways a pleasure to visit.

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account