heartbleeder
heartbleeder copied to clipboard
Wish: Run as server to test browser
It would be awesome if you could run it as a server so you could test if your browser is vulnerable.
Yep, was considering doing this. It shouldn't be hard.
Would love to see this too! Not just for testing browsers, but also for HTTPS clients in various languages.
Yeah, I'm not aware of any browsers that use OpenSSL (Firefox/Chrome use NSS).
I think Chrome on Android uses OpenSSL, but I could be mistaken. I know that it is planed to migrate to OpenSSL, but I don't know for which Chrome version this is planned or if this plan is already implemented. I know that Chrome uses different SSL/TLS libraries on different operating systems.
Ah, interesting.
Jup, wanted to write the same. It made the news in January. It would also be great (even nessery) to check for any statically linked services.
I tried to implement it, but my go is not good enough :/
This may help you to get an easy CA going (should be ok for a test server): http://stackoverflow.com/questions/22666163/golang-tls-with-selfsigned-certificate http://kylelemons.net/browse/gitweb.cgi/go/ccert.git/blob/HEAD:/ca/ca.go#l83
@gatgitgutgetgot actually, the cert generation is really easy: generate_cert.go.
@titanous I think it would reduce the coding requirenment to a call like Gen(a name, an organisation), but either way I am happy and thankful for any solution :)
Myself, I failed not on the certs but on a mix of not being an SSL buff and not knowing Go well ... I tried to deduce stuff from your history but it did't work. I'll happyly study your stuff when/if you implement it and thank you in advance.
(I was pointed to this project by someone who claimed that this project did not report their IMAP service as vulnerable, although my tool reported otherwise :?)
Firefox/Chrome/IE ("browser") are not vulnerable because they do not use OpenSSL. Konqueror on KDE (and anything that uses KIO) are possibly vulnerable.
And as observed in another pull request, you do not even need a certificate to test clients. After the ServerHello (and thus after the ClientHello...), you can immediately send as many heartbeats as you want. In that sense it is much easier to exploit clients than servers. If you like Python, see https://github.com/Lekensteyn/pacemaker for an implementation.
@Lekensteyn We don't have STARTTLS support, so I'm not sure that testing an IMAP server would work.
IMAP accepts TLS connections over 993, so it should be possible to test.
pacemaker supports STARTTLS which is what I used to test his IMAP server. It is possible that he only checked 993 and somehow managed to leave 143 vulnerable.