heartbleeder icon indicating copy to clipboard operation
heartbleeder copied to clipboard

Published 20 hours ago verified publisher icon titanous

Wish: Run as server to test browser

Open panzi opened this issue 10 years ago • 11 comments

It would be awesome if you could run it as a server so you could test if your browser is vulnerable.

panzi avatar Apr 08 '14 22:04 panzi

Yep, was considering doing this. It shouldn't be hard.

titanous avatar Apr 08 '14 22:04 titanous

Would love to see this too! Not just for testing browsers, but also for HTTPS clients in various languages.

aaronpk avatar Apr 08 '14 23:04 aaronpk

Yeah, I'm not aware of any browsers that use OpenSSL (Firefox/Chrome use NSS).

titanous avatar Apr 08 '14 23:04 titanous

I think Chrome on Android uses OpenSSL, but I could be mistaken. I know that it is planed to migrate to OpenSSL, but I don't know for which Chrome version this is planned or if this plan is already implemented. I know that Chrome uses different SSL/TLS libraries on different operating systems.

panzi avatar Apr 08 '14 23:04 panzi

Ah, interesting.

titanous avatar Apr 08 '14 23:04 titanous

Jup, wanted to write the same. It made the news in January. It would also be great (even nessery) to check for any statically linked services.

I tried to implement it, but my go is not good enough :/

This may help you to get an easy CA going (should be ok for a test server): http://stackoverflow.com/questions/22666163/golang-tls-with-selfsigned-certificate http://kylelemons.net/browse/gitweb.cgi/go/ccert.git/blob/HEAD:/ca/ca.go#l83

gatgitgutgetgot avatar Apr 08 '14 23:04 gatgitgutgetgot

@gatgitgutgetgot actually, the cert generation is really easy: generate_cert.go.

titanous avatar Apr 08 '14 23:04 titanous

@titanous I think it would reduce the coding requirenment to a call like Gen(a name, an organisation), but either way I am happy and thankful for any solution :)

Myself, I failed not on the certs but on a mix of not being an SSL buff and not knowing Go well ... I tried to deduce stuff from your history but it did't work. I'll happyly study your stuff when/if you implement it and thank you in advance.

gatgitgutgetgot avatar Apr 08 '14 23:04 gatgitgutgetgot

(I was pointed to this project by someone who claimed that this project did not report their IMAP service as vulnerable, although my tool reported otherwise :?)

Firefox/Chrome/IE ("browser") are not vulnerable because they do not use OpenSSL. Konqueror on KDE (and anything that uses KIO) are possibly vulnerable.

And as observed in another pull request, you do not even need a certificate to test clients. After the ServerHello (and thus after the ClientHello...), you can immediately send as many heartbeats as you want. In that sense it is much easier to exploit clients than servers. If you like Python, see https://github.com/Lekensteyn/pacemaker for an implementation.

Lekensteyn avatar Apr 14 '14 09:04 Lekensteyn

@Lekensteyn We don't have STARTTLS support, so I'm not sure that testing an IMAP server would work.

titanous avatar Apr 14 '14 14:04 titanous

IMAP accepts TLS connections over 993, so it should be possible to test.

pacemaker supports STARTTLS which is what I used to test his IMAP server. It is possible that he only checked 993 and somehow managed to leave 143 vulnerable.

Lekensteyn avatar Apr 14 '14 14:04 Lekensteyn