You’ve all heard about the Heartbleed bug in OpenSSL that leaves a lot of information in the open, even private keys for web servers. This catastrophe has been well described in the Heartbleed website and loads of other places.
There is advice on the SANS site for patching the software, and a Heartbleed test site for servers that are on the public internet.
If you have an internal HTTPS server (or if you want to check all your HTTPS servers), you might be interested in the InterMapper Probe I created that checks a web server for vulnerability to the Heartbleed bug.
Download from Github.com/blueberryhillsoftware
Instructions:
- Download and import the Check Heartbleed probe into your InterMapper server
- Add one or more web servers to a map
- Set Probe… and select Servers-Standard/HTTP & HTTPS/Check Heartbleed
- The Check Heartbleed probe may take a while to run as it tests all four versions of encryption. You may need to set the Timeout and response time thresholds to 15 seconds to allow it to complete.
The default Version parameter is set to -1: This checks all versions of the TLS (v1.0, v1.1, v1.2) to look for vulnerabilities. You may also enter a version of 0, 1, or 2 to test only TLS v1.0, v1.1, or v1.2, respectively.
Test Cases
- The server at https://cloudflarechallenge.com:443 is intentionally vulnerable to Heartbleed
- All major HTTPS sites either never were vulnerable, or have been patched.
I have made the Check Heartbleed Probe for InterMapper available at no cost, under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.
Cheers!
Updated: 12Jun2014 – added screen shot, minor edits to Status Window