Heart Bleed bug test: Netcraft browser plug-in identifies and checks sites infected by Heartbleed

Netcraft, the British Internet service company known for its anti-phishing toolbar on Firefox, has released a browser extension that alerts a user when a site they visit hasn't been patched to protect against the Heartbleed bug or vulnerability.

The free extension can be installed on the Google Chrome, Firefox and Opera browsers. The extension can be found at http://toolbar.netcraft.com/

Netcraft's extension checks to see if a website could be vulnerable to the Heartbleed bug. The software checks the private key certificate of the website a user is visiting to see if it has been updated since the Heartbleed disclosure. If not, the site is flagged as unsafe.

The browser extension uses data from an Internet-wide automated survey the company previously conducted. It is an update of a previously released Netcraft security tool.

Netcraft estimates that some 17 percent of all trusted SSL (Secure Socket Layer) Web servers are vulnerable to attack by the Heartbleed bug. OpenSSL is an open-source implementation of the SSL and TLS (Transport Layer Security) protocols that encrypt sensitive data such as passwords so they can transmitted securely across a public network.

Experts said that only certain versions of OpenSSL are affected by Heartbleed. These affected versions were mostly deployed along with the open source Apache and Nginx servers that run about 66 percent of all servers on the Internet.

Despite the Netcraft fix, there is no way for a user to tell if a site he visits has applied the Heartbleed patch. And even when a site has fixed the Heartbleed vulnerability, attackers might have already used Heartbleed to steal the private key of the site. This will allow thieves to steal data by way of a "man-in-the-middle attack."

In this form of snooping, an attacker makes independent connections with his victims and relays messages between them. This leads the victims to believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Copyright © 2014 Ecumenical News