HackLabs have performed some quick testing of the ASX Top 200 sites for site that could potentialy be exposed to the HeartBleed TLS vulnerability, We noted that about 10% of sites are vulnerable at the time of writing.
Some sites that were tested and found vulnerable earlier in the day appear to have been patched, which is great work by some busy sysadmins today.
Some may dismiss this with who would bother? But with the various exploit code that we have reviewed and tested on our systems (which we have had exploitation permission for) we have been able to dump from the affected servers plain text Usernames and Passwords, Session Cookies of banking customers and other information that would at the least allow compromise of User Accounts etc. from the affected web applications running on the tested servers.
To test whether the SSL service is vulnerable, a number of methods are available.
You can connect with openssl client with TLS debugging enabled and check whether the service reports the TLS server extension “heartbeat”
eg. openssl s_client -connect server.com:443 -tlsextdebug | grep “server extension”
echo -e "quit\n" | openssl s_client -connect server.com:443 -tlsextdebug 2>&1 | grep heartbeat
As of April 2014, www.google.com reported this server extension:
[Date] => Tue, 08 Apr 2014 06:18:34 GMT
TLS server extension "heartbeat" (id=15), len=1
However the reporting of this TLS extension (or lack of it) does not mean the service is necessarily vulnerable. An online tester which actually implements the vulnerability is available here:
and a site can be submitted directly as follows:
If a response code of 0 = vulnerable, and returns leaked plaintext snippet demonstrating the injected “YELLOW SUBMARINE” string.
The Go source code to this tester is available here:
High profile sites that were reported today as vulnerable (which have now been fixed, apparently) include: