This Is our Village

Sunday, April 13, 2014

HEARTBLEED - A VARIANT MAN IN THE MIDDLE ATTACK - HOW TO TEST A SITES SAFETY

-


-
Heartbleed is a vulnerability in a security system known as Open SSL (Secure Socket Layer) Encryption. Stated simply, when you connect to a sites server, a hacker can re-direct the link to himself and send a pulse (called a heartbeat), causing the server to dump a chunk of data about you, which the hacker can capture. In technical terms, the bug is know as a "Buffer Over-Read" flaw, due to a lack of  buffer boundary, coding which is the code that must be fixed.
-
The purpose of this Post is not to confuse, but rather to offer a method to test if the Sites to which you connect have had this critical flaw fixed. Below, are some sites where you may test if this has been done. As an example, let's say that you use Gmail. simply go to one of the Sites listed below and enter the string:

GMAIL.COM
-
Continue below.








https://lastpass.com/heartbleed/
-
Enter a URL or a hostname to test the server for CVE-2014-0160.
 

All good, Gmail.com seems fixed or unaffected!

If you get this message; CHANGE YOUR PASSWORD.
-
Now, let's try COMCAST.NET
.....................................
Enter a URL or a hostname to test the server for CVE-2014-0160.
 

Uh-oh, something went wrong:dial tcp 69.252.80.75:443: i/o timeout 
Check what it means at the FAQ.
It might mean that the server is safe, we just can't be 100% sure!

=
Clearly, this is not a clean response, so, while you might change your password, keep checking back until you get a clean response for the COMCAST.NET Site, and then change your password again.
-
I used the first Site on the list of four, you might wish to try another, or all four to check for consistency.
-
Please take the time to do this little task, as this is a serious bug, and you want to be sure your passwords and data are safe.
-
Dave Israel
-

1 comment:

  1. OK, I was using the list from major companies at http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

    ReplyDelete

Note: Only a member of this blog may post a comment.