Internet stats clearinghouse Netcraft has released a new tool aimed at letting consumers know when the sites they visit might have been compromised by the Heartbleed encryption bug. There are lots of tools available that can scan servers to determine whether they're affected by the Heartbleed vulnerability right now, albeit of …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 18th April 2014 06:45 GMT fearnothing

Obligatory snobbish comment

If someone is using IE, what's the likelihood they would think of installing an extension like this anyway?

5 0
Friday 18th April 2014 09:03 GMT Version 1.0

But wait, there's more ...

So your site is now secure ... but what about Flash?

Although running Flash does seem to suggest that the site is Insecure by Design.

3 3
1. Friday 18th April 2014 09:44 GMT Anonymous Coward
  
  Re: But wait, there's more ...
  
  And Java. Don't forget, that's another massive security hole.
  
  3 2
2. Friday 18th April 2014 11:39 GMT Hans 1
  
  Re: But wait, there's more ...
  
  @Version 1.0
  
  iOS fanboi, he ?
  
  0 2
Friday 18th April 2014 09:58 GMT The Unexpected Bill

I just have to ask...

Does the extension really support Firefox 1.0? Is anyone really still running that ancient of a release? (No, wait. I'm not sure I want to know.)

I'm probably too lazy to actually download v1.0 of Firefox and find out...

Back to your regularly scheduled program.

1 1
Friday 18th April 2014 10:31 GMT winnyuk

Please add bootnote for security warning

A similar article covered by Ars highlights the add-on uses insecure methods to submit URL queries.

http://arstechnica.com/security/2014/04/now-theres-an-easy-way-to-flag-sites-vulnerable-to-heartbleed/

0 0
Friday 18th April 2014 11:37 GMT Hans 1

which means users of Internet Explorer and Safari are left in the dark.

As they always have been ... nothing new there.

3 0
Friday 18th April 2014 13:07 GMT EJ

Visiting Fedex.com and attempting a blank logon in order to kick over to their SSL site, Netcraft reports the following: "The site offered the Heartbeat TLS extension prior to the Heartbleed disclosure, but is using a new certificate and no longer offers Heartbeat."

So it sounds like they've now addressed it, no?

0 0
1. Friday 18th April 2014 18:47 GMT John Smith 19
  
  @EJ
  
  "Visiting Fedex.com and attempting a blank logon in order to kick over to their SSL site, Netcraft reports the following: "The site offered the Heartbeat TLS extension prior to the Heartbleed disclosure, but is using a new certificate and no longer offers Heartbeat."
  
  So it sounds like they've now addressed it, no?
  
  "
  
  RTFA.
  
  0 0
Monday 21st April 2014 17:47 GMT Justin Pasher

Risky information

"If the Netcraft extension determines that a site was vulnerable before news of Heartbleed broke, it checks the date on the site's SSL certificate to make sure it has been recently replaced. If it hasn't, the extension displays an alert."

Ugh... That's all fine and dandy if every CA changed the issue date on certificate reissues. I've read from multiple sources that this is not always the case. I know that GoDaddy will update the issue date, but I think Comodo is an example of one that does not update it. Without installing the extension and knowing how the "alert" is presented to the user, they could be venturing into dangerous territory by saying a site is still affected when it's truly not.

Also considering the possibility where someone was running a non-vulnerable version (0.9.8 or 1.0.0) and they upgraded their servers to now be running 1.0.0g+. Most likely they wouldn't get their cert reissued because they were never vulnerable.

0 0