Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,784,212 Members 43,054 Now Online
XDA Developers Android and Mobile Development Forum

Install chromebleed!!!!!

Tip us?
 
Androidwarrior
Old
#1  
Androidwarrior's Avatar
Senior Member - OP
Thanks Meter 31
Posts: 156
Join Date: Apr 2014
Default Install chromebleed!!!!!

Heartbleed: Install Chromebleed on Chrome to Detect Affected Sites

Yesterday, OpenSSL’s biggest bug – Heartbleed – was announced, along with the fact that it affected some two thirds of the world’s websites.

Some pretty important sites have been affected by the security bug, including Yahoo, Flickr, Kickass Torrents and many more.

Visiting these sites until the vulnerability is fixed is a bit dangerous. While the situation hasn’t exactly changed over the past two years and users are still vulnerable to the same issues, more hackers could now attempt to exploit the bug.

Since any attacks conducted so far have left no traces, there’s no way of knowing exactly how many times the vulnerability was used to obtain data that should have been encrypted, be it passwords or banking information.

Now that Heartbleed has been exposed, sites are that much more in danger until they fix the security problem since, after all, if hackers didn’t known about the bug, they do now.

Along with the announcement, a patch has been made available for OpenSSL, as well as a small Chrome extension for those users who want to make sure they’re not browsing a website that is still exposed to the issue.

Dubbed “Chromebleed,” the tool uses a web service developed by Filippo Valsorda and checks the URL of the page. If affected by Heartbleed, a notification will be displayed.

The tool is in no way intrusive and takes a small place in the extensions bar to the right of the address bar in the browser. It can easily be removed at any time.

You can download Chromebleed from the Chrome Web Store or from Softpedia.

Sent from my SM-N900P using XDA Premium 4 mobile app
 
YCkcaJ
Old
#2  
Junior Member
Thanks Meter 3
Posts: 22
Join Date: Mar 2014
Not a very smart thing to install SOME application to run on your device to detect a security hole.
It's a nice way to trick people to install things they would not normally install.

Heartbleed is out in the air for a longer time, not from yesterday.
Neken N6S, MT6592 8x1.66GHz, 2/16GB, 3000mAh, 5.0" 1080p IPS.
 
hu_ciao
Old
#3  
hu_ciao's Avatar
Junior Member
Thanks Meter 5
Posts: 16
Join Date: Mar 2014

 
DONATE TO ME
Default OpenSSL TLS flaw

Claims most all testers are flawed.

"Herein lies the problem with the detection tools..."

http://www.theguardian.com/technolog...n-tools-flawed

A good look at the results of detection tools compared:

http://www.hut3.net/blog/cns---netwo...ction-scripts-

I know openSSL is free software, but maybe someone could pay them to have a few full time employees?

One plus ten or so volunteers? Not gonna catch everything :-$
 
theumad
Old
#4  
theumad's Avatar
Senior Member
Thanks Meter 256
Posts: 350
Join Date: Sep 2009

 
DONATE TO ME
Doesn't make sense to test for something you cannot fix. We should wait for updates from teh devs and that's the only thing we can do.
 
av2588
Old
#5  
av2588's Avatar
Member
Thanks Meter 11
Posts: 59
Join Date: Feb 2014
Location: Legazpi City
Can smartphones, particularly Android ones, be affected by this bug? I thought only windows are affected. Correct me if I'm wrong...
 
hu_ciao
Old
(Last edited by hu_ciao; 1st May 2014 at 03:22 AM.) Reason: Omission
#6  
hu_ciao's Avatar
Junior Member
Thanks Meter 5
Posts: 16
Join Date: Mar 2014

 
DONATE TO ME
Tutorial New funding for OpenSSL security audits etc.

Quote:
Originally Posted by av2588 View Post
Can smartphones, particularly Android ones, be affected by this bug? I thought only windows are affected. Correct me if I'm wrong...
If you run Android 4.1.1. or similar early JB you might be still open to exploit.

Quote:
Apr 15, 2014
The Heartbleed OpenSSL flaw affects the earliest version of Jelly Bean, which powers millions of activated Android devices.
http://www.citeworld.com/article/214...-disaster.html

If you'd like to chek yourself out: https://play.google.com/store/apps/d...tbleeddetector

This thing might be less likely in future.

Quote:
Tech giants team up to prevent new 'Heartbleed' -- 04/24/14
http://thehill.com/policy/technology...new-heartbleed


++++++++EDIT+++++++++

Sorry - I spoke too soon. Others may also be vulnerable to that heartbeat flaw


Quote:
According to FireEye, Android apps can often bypass the operating system's libraries for cryptography and use their own native OpenSSL
libraries, which may not have been patched. Even though an app may be connecting to a secure, patched server, if the app itself uses
a vulnerable version of OpenSSL, the connection is still insecure, Hui Xue, senior engineer...
...
To add further insult to injury for end users, FireEye found that apps that claim to scan for the Heartbleed flaw on Android, for the most part,
don't really work. Looking at 17 different apps that claim to scan for Heartbleed ...
"Only two of them did a decent check on Heartbleed vulnerability of apps,"...
...
"We've also seen several fake Heartbleed detectors in the 17 apps, which don't perform real detections nor display detection results to users
and only serve as adware."
http://www.eweek.com/security/heartb...s-at-risk.html
 
Tornado15550
Old
#7  
Tornado15550's Avatar
Junior Member
Thanks Meter 3
Posts: 29
Join Date: Nov 2013
All 4.1.1 devices should be updated to 4.1.2 by manufacturers regardless of whether they were former flagships or entry level devices.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes