Heartbleed quickly went from whispers (or screams) within the cybersecurity world to a trending topic on Twitter and other social media as word spread that internet users needed to consider measures to protect themselves and their information from the security vulnerability. Web platforms and products (including us at SumRando) released statements confirming that their operations were not affected by Heartbleed, while others warned that information could be vulnerable.
This week, Ars Technica is reporting that developers at Netcraft have developed a browser extension to help internet users identify sites potentially vulnerable to the Heartbleed bug. This extension would allow users to identify websites that could have been susceptible in order to identify data that was potentially exposed.
If providers have already identified whether or not they were affected (or should have), why do we need this identifier? AT reports that far too few secure websites have updated their infrastructures to ensure their safety:
Figures Netcraft provided Wednesday show why people should be on the lookout for sites with potentially compromised keys. Of the 500,000 HTTPS-enabled sites the company estimates were vulnerable to Heartbleed, only 80,000 of them have revoked and replaced their old certificates. That means the vast majority of formerly vulnerable sites remain susceptible to spoofing attacks and in some cases passive eavesdropping even though the gaping Heartbleed hole may have been plugged.
How does this extender work? AT explains:
The extension works on the Chrome, Firefox, and Opera browsers. It's available here, and you can read Netcraft's description of it here. Once installed, it provides a bleeding heart icon and warning sign when users visit a site that remains susceptible to one or more of the risks posed by Heartbleed, the extremely critical bug that allows attackers to pluck sensitive data from the memory of vulnerable servers. Exposed data most often seems to include usernames and passwords, but it can also include taxpayer identification numbers and even the private encryption keys that are a website's crown jewels.
The Netcraft extension will alert users if an OpenSSL-powered site has yet to install an update that's immune to Heartbleed exploits. It also lets people know if sites that have updated OpenSSL are still using an HTTPS encryption certificate that has yet to be changed since OpenSSL was updated. That latter alert is crucial, since possession of a private encryption key makes it possible for attackers to impersonate HTTPS-protected sites with malicious sites that are almost impossible for most end users to detect. Out of an abundance of caution, all sites that were vulnerable to Heartbleed should assume their keys are now in the hands of malicious attackers.
To read more about this extension, check out yesterday’s post on Ars Technica.