back to article Netcraft adds Heartbleed sniffing to site-scanning browser tool

Internet stats clearinghouse Netcraft has released a new tool aimed at letting consumers know when the sites they visit might have been compromised by the Heartbleed encryption bug. There are lots of tools available that can scan servers to determine whether they're affected by the Heartbleed vulnerability right now, albeit of …

COMMENTS

This topic is closed for new posts.
  1. fearnothing
    Joke

    Obligatory snobbish comment

    If someone is using IE, what's the likelihood they would think of installing an extension like this anyway?

  2. Version 1.0 Silver badge

    But wait, there's more ...

    So your site is now secure ... but what about Flash?

    Although running Flash does seem to suggest that the site is Insecure by Design.

    1. Anonymous Coward
      Anonymous Coward

      Re: But wait, there's more ...

      And Java. Don't forget, that's another massive security hole.

    2. Hans 1
      Gimp

      Re: But wait, there's more ...

      @Version 1.0

      iOS fanboi, he ?

  3. The Unexpected Bill
    WTF?

    I just have to ask...

    Does the extension really support Firefox 1.0? Is anyone really still running that ancient of a release? (No, wait. I'm not sure I want to know.)

    I'm probably too lazy to actually download v1.0 of Firefox and find out...

    Back to your regularly scheduled program.

  4. winnyuk
    Alert

    Please add bootnote for security warning

    A similar article covered by Ars highlights the add-on uses insecure methods to submit URL queries.

    http://arstechnica.com/security/2014/04/now-theres-an-easy-way-to-flag-sites-vulnerable-to-heartbleed/

  5. Hans 1
    Windows

    which means users of Internet Explorer and Safari are left in the dark.

    As they always have been ... nothing new there.

  6. EJ

    Visiting Fedex.com and attempting a blank logon in order to kick over to their SSL site, Netcraft reports the following: "The site offered the Heartbeat TLS extension prior to the Heartbleed disclosure, but is using a new certificate and no longer offers Heartbeat."

    So it sounds like they've now addressed it, no?

    1. John Smith 19 Gold badge
      FAIL

      @EJ

      "Visiting Fedex.com and attempting a blank logon in order to kick over to their SSL site, Netcraft reports the following: "The site offered the Heartbeat TLS extension prior to the Heartbleed disclosure, but is using a new certificate and no longer offers Heartbeat."

      So it sounds like they've now addressed it, no?

      "

      RTFA.

  7. Justin Pasher
    Stop

    Risky information

    "If the Netcraft extension determines that a site was vulnerable before news of Heartbleed broke, it checks the date on the site's SSL certificate to make sure it has been recently replaced. If it hasn't, the extension displays an alert."

    Ugh... That's all fine and dandy if every CA changed the issue date on certificate reissues. I've read from multiple sources that this is not always the case. I know that GoDaddy will update the issue date, but I think Comodo is an example of one that does not update it. Without installing the extension and knowing how the "alert" is presented to the user, they could be venturing into dangerous territory by saying a site is still affected when it's truly not.

    Also considering the possibility where someone was running a non-vulnerable version (0.9.8 or 1.0.0) and they upgraded their servers to now be running 1.0.0g+. Most likely they wouldn't get their cert reissued because they were never vulnerable.

This topic is closed for new posts.

Other stories you might like