Cybersecurity

How to Check If a Site Is Safe From 'Heartbleed'

Leszek Glasner/Shutterstock.com

This post follows one a few hours ago about the Heartbleed security failure, and for safety's sake it repeats information I have added to that post as an update.

Point 1: If you would like to test to see whether a site is exposed to the loophole created (over the past two years) by the OpenSSL bug, you can gohere and enter the URL you are concerned about. (This tip via Bruce Schneier.) As explained in the FAQ, the test sometimes delivers "false positives" for vulnerability  -- that is, it may report problems with a site that actually is OK, or that is in the middle of taking steps to protect itself. But the site's creator explains why "false negatives" -- OK signals when there actually is a problem -- should be very rare, and practically non-existent if you perform the test several times.

Point 2: If a site tests through as Safe, then it makes sense to change your password there. And all of my email and financial sites are now saying Safe, so the changes I am making there will stick.

But even if a site does not say Safe, the people I have asked say that it still makes sense to change -- even though you'll need to change again when the SSL for that site is fully repaired.

Reasoning: If you change it now, it's possible that a still-active hacker will capture info today. But if you don't change it now, anything exploited in the past two years is still vulnerable. Also, many sites that are not yet fully protected are on higher alert than they would have been before this news, so hackers may have a tougher time in the new environment than when this was an unknown-unknown.

Point 3: The guy who created the test site, a young Italian cryptologist based in Milan, has a donation button on the site.

UPDATE: Here is another industrial-strength test site. I tried the same domain on it, and the score you see here is way, way close to the top of those it has tried. 

Previous post

(Image via Leszek Glasner/Shutterstock.com)

Threatwatch Alert

Network intrusion / Stolen credentials

Dominion Resources personnel who arranged wellness screenings became hacking victims

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// 11:09 AM ET