Post Reply

Install chromebleed!!!!!

OP Androidwarrior

15th April 2014, 11:25 PM   |  #1  
Androidwarrior's Avatar
OP Senior Member
Thanks Meter: 50
 
215 posts
Join Date:Joined: Apr 2014
Heartbleed: Install Chromebleed on Chrome to Detect Affected Sites

Yesterday, OpenSSL’s biggest bug – Heartbleed – was announced, along with the fact that it affected some two thirds of the world’s websites.

Some pretty important sites have been affected by the security bug, including Yahoo, Flickr, Kickass Torrents and many more.

Visiting these sites until the vulnerability is fixed is a bit dangerous. While the situation hasn’t exactly changed over the past two years and users are still vulnerable to the same issues, more hackers could now attempt to exploit the bug.

Since any attacks conducted so far have left no traces, there’s no way of knowing exactly how many times the vulnerability was used to obtain data that should have been encrypted, be it passwords or banking information.

Now that Heartbleed has been exposed, sites are that much more in danger until they fix the security problem since, after all, if hackers didn’t known about the bug, they do now.

Along with the announcement, a patch has been made available for OpenSSL, as well as a small Chrome extension for those users who want to make sure they’re not browsing a website that is still exposed to the issue.

Dubbed “Chromebleed,” the tool uses a web service developed by Filippo Valsorda and checks the URL of the page. If affected by Heartbleed, a notification will be displayed.

The tool is in no way intrusive and takes a small place in the extensions bar to the right of the address bar in the browser. It can easily be removed at any time.

You can download Chromebleed from the Chrome Web Store or from Softpedia.

Sent from my SM-N900P using XDA Premium 4 mobile app
16th April 2014, 03:03 PM   |  #2  
Junior Member
Thanks Meter: 3
 
22 posts
Join Date:Joined: Mar 2014
Not a very smart thing to install SOME application to run on your device to detect a security hole.
It's a nice way to trick people to install things they would not normally install.

Heartbleed is out in the air for a longer time, not from yesterday.
16th April 2014, 06:34 PM   |  #3  
hu_ciao's Avatar
Junior Member
Thanks Meter: 5
 
16 posts
Join Date:Joined: Mar 2014
Donate to Me
OpenSSL TLS flaw
Claims most all testers are flawed.

"Herein lies the problem with the detection tools..."

http://www.theguardian.com/technolog...n-tools-flawed

A good look at the results of detection tools compared:

http://www.hut3.net/blog/cns---netwo...ction-scripts-

I know openSSL is free software, but maybe someone could pay them to have a few full time employees?

One plus ten or so volunteers? Not gonna catch everything :-$
17th April 2014, 01:16 PM   |  #4  
theumad's Avatar
Senior Member
Thanks Meter: 264
 
381 posts
Join Date:Joined: Sep 2009
Donate to Me
More
Doesn't make sense to test for something you cannot fix. We should wait for updates from teh devs and that's the only thing we can do.
19th April 2014, 04:11 PM   |  #5  
av2588's Avatar
Member
Flag Legazpi
Thanks Meter: 16
 
70 posts
Join Date:Joined: Feb 2014
Can smartphones, particularly Android ones, be affected by this bug? I thought only windows are affected. Correct me if I'm wrong...
29th April 2014, 12:23 AM   |  #6  
hu_ciao's Avatar
Junior Member
Thanks Meter: 5
 
16 posts
Join Date:Joined: Mar 2014
Donate to Me
Tutorial New funding for OpenSSL security audits etc.
Quote:
Originally Posted by av2588

Can smartphones, particularly Android ones, be affected by this bug? I thought only windows are affected. Correct me if I'm wrong...

If you run Android 4.1.1. or similar early JB you might be still open to exploit.

Quote:

Apr 15, 2014
The Heartbleed OpenSSL flaw affects the earliest version of Jelly Bean, which powers millions of activated Android devices.

http://www.citeworld.com/article/214...-disaster.html

If you'd like to chek yourself out: https://play.google.com/store/apps/d...tbleeddetector

This thing might be less likely in future.

Quote:

Tech giants team up to prevent new 'Heartbleed' -- 04/24/14

http://thehill.com/policy/technology...new-heartbleed


++++++++EDIT+++++++++

Sorry - I spoke too soon. Others may also be vulnerable to that heartbeat flaw


Quote:

According to FireEye, Android apps can often bypass the operating system's libraries for cryptography and use their own native OpenSSL
libraries, which may not have been patched. Even though an app may be connecting to a secure, patched server, if the app itself uses
a vulnerable version of OpenSSL, the connection is still insecure, Hui Xue, senior engineer...
...
To add further insult to injury for end users, FireEye found that apps that claim to scan for the Heartbleed flaw on Android, for the most part,
don't really work. Looking at 17 different apps that claim to scan for Heartbleed ...
"Only two of them did a decent check on Heartbleed vulnerability of apps,"...
...
"We've also seen several fake Heartbleed detectors in the 17 apps, which don't perform real detections nor display detection results to users
and only serve as adware."

http://www.eweek.com/security/heartb...s-at-risk.html
Last edited by hu_ciao; 1st May 2014 at 03:22 AM. Reason: Omission
29th April 2014, 06:25 PM   |  #7  
Tornado15550's Avatar
Junior Member
Thanks Meter: 3
 
29 posts
Join Date:Joined: Nov 2013
All 4.1.1 devices should be updated to 4.1.2 by manufacturers regardless of whether they were former flagships or entry level devices.

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in General by ThreadRank