Now: an easy way to flag sites vulnerable to Heartbleed

The Artist formerly known as Rhoenix
Post by rhoenix » wrote:Developers at Internet services company Netcraft have released a browser extension that makes it easy for Web surfers to know if the site they're visiting is vulnerable to the catastrophic Heartbleed vulnerability.

The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.
The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.

Figures Netcraft provided Wednesday show why people should be on the lookout for sites with potentially compromised keys. Of the 500,000 HTTPS-enabled sites the company estimates were vulnerable to Heartbleed, only 80,000 of them have revoked and replaced their old certificates. That means the vast majority of formerly vulnerable sites remain susceptible to spoofing attacks and in some cases passive eavesdropping even though the gaping Heartbleed hole may have been plugged.

The Netcraft extension gives the HTTPS-protected portion of Ars a green light, since our tech team patched OpenSSL and replaced its old certificate nine days ago. Interested readers are invited to install the extension and leave comments reporting any vulnerable sites that get flagged.

Update: Several readers have noted the privacy drawbacks posed by use of the Netcraft extension. Among other things, according to one reader, the extension sends vistited URLs that can include query strings, and it does so using an unencrypted HTTP connection. If true, that leaves a list of visited sites open for surveillance and man-in-the-middle attacks. Netcraft has a fuller privacy disclosure in the "About" tab of the extension. Ars readers are encouraged to think over the implications before installing the extension.
