Most Free Heartbleed Tools are Defective

TwitterGoogle+FacebookLinkedInPinterestTumblrStumbleUponRedditShare This

Alvin Bryan

Alvin Bryan is a freelance writer and online privacy enthusiast enthusiast currently contributing quality tips and troubleshooting on personal VPN services, and online privacy and security news. You can also find him on Google +.

Many companies and individuals have been using free tools to check website vulnerabilities. But 95% of these free Heartbleed tools are defective. They can be giving website owners and users false comfort, putting them at even greater risk.

Defective Heartbleed Tools Leave More Customer Data Exposed

Heartbleed DefectiveWhen most people check the websites they manage and use for Heartbleed, they use free tools. The problem is that most of the free online Heartbleed tools are defective. People who have used these tools have been given a false sense of security. They check the websites and are given a thumbs up. They then go ahead and log in to change their account passwords to safeguard them. But with faulty tools, they may be giving up their passwords instead of securing them. Their accounts and all the data in them are therefore exposed.

95% of the tools that have been developed to detect Heartbleed have bugs. These defects mean that they can’t properly detect the Heartbleed bug. Affected websites are therefore declared clean when they are actually still vulnerable to Heartbleed. These website are therefore likely to be leaking customer data. Passwords are still exposed, and encryption keys can still be stolen.

Hut3 Penetration Tests

Heartbleed Hut3Hut3, a security company, has conducted penetration testing to determine the reliability of Heartbleed testing tools. They worry that many website users and administrators are feeling confident in the security of their systems. Edd Hardy of Hut3 says that companies could be reporting that their servies are secure when they really are not.

The tools that were developed to check for the Heartbleed vulnerability are based on code that was created to reveal the Heartbleed vulnerability. But this revealing code has its own bugs according to Hut3. Even the tools that were released by large Internet companies are defective. One of these bugs is in compatibility with SSL versions. The checking tools have problems with common system configurations, causing detection failures.

OpenSSL Heartbleed The problem is that the tools are checking for TLSv1.1 only. If the server that you are checking doesn’t support this version, the test will fail. No other version will be tested, so the tool will declare that the Heartbleed vulnerability is not present. The same failure will occur with unsupported cipher suites, of which there are 267 out of 318. Another false result happens when Internet connections are slow and the tool times out.

Hut3 has developed its own Heartbleed detection tool that they say works better. It can be found on https://gist.github.com/ah8r/10632982, and can be run using Python. For average Internet users, this will be a very difficult test to run. Internet companies and website administrators need to take initiative and responsibility to properly test their services.

One thought on “Most Free Heartbleed Tools are Defective

  1. Pingback: Nestor

Comments are closed.