
Test your server for the Heartbleed bug - FiloSottile
http://filippo.io/Heartbleed/
======
malgorithms
Very cool! Tested my site before and after a patch, and it recognized the fix.
A quick UI tip: you should give some indicator while the test is running. I
couldn't tell anything was happening while I waited. Even just a spinner gif
of some kind.

------
Titanous
Here's a tool I wrote to test locally:
[https://github.com/titanous/heartbleeder](https://github.com/titanous/heartbleeder)

~~~
imemine
I get these errors:
/usr/lib/go/src/pkg/github.com/titanous/heartbleeder/tls/cipher_suites.go:66:
undefined: cipher.AEAD
/usr/lib/go/src/pkg/github.com/titanous/heartbleeder/tls/cipher_suites.go:133:
undefined: cipher.AEAD
/usr/lib/go/src/pkg/github.com/titanous/heartbleeder/tls/cipher_suites.go:149:
undefined: cipher.AEAD
/usr/lib/go/src/pkg/github.com/titanous/heartbleeder/tls/handshake_server.go:556:
undefined: crypto.PublicKey
/usr/lib/go/src/pkg/github.com/titanous/heartbleeder/tls/tls.go:93: undefined:
net.Dialer

Am I missing something?

~~~
Titanous
You need to use Go version >= 1.2.

~~~
imemine
aah! Okay, thanks man.

------
gojomo
FYI, I tested herokuapp.com's SSL support. It reports as vulnerable. :(

On the bright side, since such servers are Heroku's inbound load-balancers,
individual app dyno secrets in RAM probably aren't at risk. But, impersonating
herokuapp.com, decoding its sessions, or viewing fragments of arbitrary other
traffic through the same server may all be possible.

Heroku reports they're aware and working on it:
[http://status.heroku.com](http://status.heroku.com)

------
ars
I thought it was broken since nothing happened when I clicked. Then I looked
again and had a result.

I'm also getting this error:

    
    
        Error: not well-formed
        Source File: http://heartbleed.filippo.io/bleed/foo.com
        Line: 1, Column: 1
        Source Code:
        {"code": 1, "data": ""}

~~~
xur17
Yeah, I had the same issue. A spinning wheel while it's waiting would be
helpful.

Other than that, great work @ars!

------
tlrobinson
I hope you're saving the results so we can shame companies who don't revoke
their certs.

Also caching the results should also lighten the load on your server
significantly since many people are probably checking common websites.

------
FiloSottile
Ok, deployed on a m1.xlarge! You should see the site responsive now.

~~~
FiloSottile
Still down, going for a Load Balancer. Should have optimized this more :(

~~~
xxdesmus
If you want to offer up the code on Github I'm sure plenty of people would be
happy to put up some mirrors to spread the fun/pain.

------
gtaylor
It looks like Amazon ELB + HTTPS come back as vulnerable with their newest
default cipher suite. That's fun.

~~~
tptacek
Does the bug have anything to do with ciphersuites? The heartbeat protocol
happens at the record layer, above encryption.

------
kurosan
Red Hat rocks. CVE submitted 2014-04-07, errata release 2014-04-07. Nice.

------
metabren
Here's another as the site is getting hammered:

[http://possible.lv/tools/hb/](http://possible.lv/tools/hb/)

~~~
Erwin
Not quite as good though. The above will let just know whether you have the
extension, but not whether you have the patched version, which can also be
done from the CLI by using: echo -e "quit\n" | openssl s_client -connect
server.com:443 -tlsextdebug 2>&1 | grep heartbeat

(as suggested someone in another thread here). That will answer Yes to a
patched OpenSSL.

The OP's site actually attempts a (mild?) exploit of this.

~~~
metabren
Fair enough, thanks for the explanation. :)

------
erichurkman
Awesome, thanks for this.

Any chance you would open source this?

~~~
smtddr
I'm going to say.... not to do this just yet.

I mentioned in another thread today that perhaps having the source code for
script-kiddies to start attacking everything might not be the best thing to do
at this time. I think it's great to just have a website like this to test the
vulnerability. It would also be nice if someone like Google could host the
page so it won't get knocked down by too many requests as I'm sure will be
happening for the next few days.

~~~
diminoten
Sure, because letting one central source get to compile a list of all the
vulnerable sites sure sounds like a fantastic idea...

~~~
smtddr
I'll take my chances with one site having the list rather than open-sourcing
it and having every script-kiddie dumping RAM out of all the sensitive systems
of the interwebz.

(Sidenote: Bitcoin exchanges, please for the love of all that is good... don't
start getting owned by this. UPDATE NOW)

~~~
diminoten
What, you mean like this?

[https://gist.github.com/hlein/10121981](https://gist.github.com/hlein/10121981)

What, praytell, is a script kiddie going to do with that, other than oogle at
the word "vulnerable"?

------
tlrobinson
GitHub.com is vulnerable, FYI.

~~~
tlrobinson
They appear to be patched now.

------
kukkukb
I have a bunch of servers on Ubuntu 12.04LTS. Did the test. Came back as
vulnerable. Then did an apt-get upgrade, which upgraded a bunch of SSL
services. Did the test again. Still vulnerable.

What else should I do?

~~~
nmcfarl
On Ubuntu 12.04LTS you need to upgrade both 'libssl1.0.0' and 'openssl' \- I’d
check that the version of both is: 1.0.1-4ubuntu5.12

And then restart everything that comes back from a

    
    
         sudo lsof -n | grep ssl | grep DEL

~~~
kukkukb
Excellent! That did the trick. It was nginx and percona that also had to be
restarted.

------
thefox
Found some Facebook servers that are vulnerable for the bug:
[http://pastebin.com/dmYYpx2y](http://pastebin.com/dmYYpx2y)

------
benoliver999
Good stuff. I forgot to patch a server of mine...

