Testing Heartbleed from the client-side perspective
18 April 2014 | CERT Polska | #heartblled

heartbleed-iconIn the last week or so infosec headlines were dominated by reports in the OpenSSL vulnerability (CVE-2014-0160). We blogged on what the situation looked like in regard to Polish services and address space (and TOR as well). It is worth noting however that the OpenSSL library is used not only in the server software. It is also very common element of the client software. What does that mean? If a client software that is using a vulnerable version of OpenSSL connects to a crafted malicious server, the server can ‘download’ a portion of data from client memory. This portion may contain data on which software operates, i.e. password for a database or configuration.

To simplify testing of client applications CERT Polska prepared a service that allows to test any client software using SSL – from web browsers to custom console applications.

Is your app vulnerable?


Heartbleed client test