Tech Made Simple

Hot Topics: The Best Electric Rice Cooker | 5 Worst Apps to Download | Best Bluetooth Headset | What's Draining Your Android Battery?

Techlicious Blog

author photo

Browser Extentions that Protect Against Heartbleed

by on April 15, 2014
in Computer Safety & Support, News, Computers and Software, Internet & Networking, Blog :: 9 comments

Though news of the Heartbleed SSL bug broke early last week, the danger to your personal data is far from over. Countless websites are still vulnerable to Heartbleed data leaks, and will be for some time. The only way to surf safe is to change all your passwords, and only after you test each site you visit.

The good news: Checking sites for Heartbleed just got a whole lot easier thanks to a pair of new browser plug-ins that automate your safety research for you. Techlicious recommends you immediately download the incredibly useful Chromebleed extension for Google Chrome or the Heartbleed-Ext extension for Mozilla Firefox. Neither Apple's Safari browser nor Microsoft's Internet Explorer have plug-ins available at this time. So this would be a good time to check out a new browser, if you don't have Chrome or Firefox already installed.

Once downloaded and installed, both Chromebleed and Heartbleed-Ext check every web domain you navigate to for the Heartbleed SSL bug. If a site is still affected by Heartbleed, a small popup will alert you, reminding you that your data could be at risk.

Wisegeek Heartbleed alert

Heartbleed will likely fade from our collective memories soon, but the threat posed by the bug could persist for months or even years. Installing one of these simple browser plug-ins will help keep you protected.

You can download the Chromebleed extension from the Google Chrome Web Store. Heartbleed-Ext is available from the Mozilla Add-on Collection. Both are free of charge to download and use.

For more on keeping your computer protected against security threats like Heartbleed, check out our computer safety and support resource page.

Subscribe to the Techlicious Daily Email!

Get the Techlicious Guide to Great Photography as your FREE gift!

Discussion loading

gravatar

Mobile

From Greg Williams on April 16, 2014 :: 10:28 am

You completely forgot about addressing mobile applications.  I use my phone a whole lot more than a computer so what about us?

Reply

avatar

We didn't forget...

From Josh Kirschner on April 16, 2014 :: 11:06 am

Unfortunately, we haven’t found any similar extensions for mobile browsing and, I suspect, the way apps are sandboxed on phones may make it difficult to develop one.

However, we’ll definitely update the story if one is available.

Reply

gravatar

little flagged

From Herbert Sweet on April 16, 2014 :: 11:27 am

I installed this ad-on and proceeded to check some of my password protected websites.  Most of them were green and few were yellow but I found no red.

Reply

gravatar

Chromebleed accessing my data?

From jc on April 17, 2014 :: 6:57 pm

Before installing Chromebleed, it asks if you want to allow it to “access your data on all websites” and “access your tabs and browsing activity.”

It certainly makes sense that Chromebleed needs to access your browsing activity to know if the site you’ve browed to is safe, but why in the world does it need to access your other data? This seems a bit sketchy.

Reply

gravatar

Developer of Chromebleed

From Tony Alves on April 22, 2014 :: 1:09 pm

Hello JC,

I am one of the main developers on Chromebleed.  You can see the code on Github.com/StopBleed/chromebleed
There is nothing nefarious going on.  We are open source developers trying to get a tool to the masses to help them identify servers with the potential to have their vulnerability exploited.
Read here about developing with these issues: http://lifehacker.com/5990769/why-do-chrome-extensions-need-to-access-all-my-data

We would love for these permissions to be more granular.  What we did is make it apparent by allowing anyone to see the code.

Hope that clears up your concern.

Tony

Reply

gravatar

LastPass users have it made...

From Mike on April 20, 2014 :: 11:34 pm

I use LastPass, and it does the work of checking sites for Heartbleed for me.  Via the ‘security check’ feature, it scans all the sites which I have a username and password for, and checks to see if the site has updated its certificates recently.  If they’ve updated, I’m prompted to visit the site and change my password; if not, I’m told to wait.  Simple!

P.S. If you don’t have LastPass protecting and managing your passwords, I suggest you get it ASAP.  It’s the best free password manager I’ve ever used.

Reply

gravatar

LastPass issue

From Tony Alves on April 22, 2014 :: 1:44 pm

Mike,

I use LastPass also. I am not sure if they changed how they are checking the sites, at one time they were only checking certificate updates. You should really consider using a tool like Chromebleed or an online checker that does a heartbeat check.  LastPass was only checking certificates and not whether the servers have been actually patched.  You do not want to update a password on a site that has not been patched.

I just ran lastpass.com online heartbleed tool against the test server from cloudflare.com (http://www.cloudflarechallenge.com/heartbleed) which is a server setup to show a vulnerable site. 
LastPass showed this message:
Site:  http://www.cloudflarechallenge.com
Server software:  nginx
Was vulnerable:  Possibly (known use OpenSSL, but might be using a safe version)
SSL Certificate:  Now Safe (created 2 weeks ago at Apr 10 00:00:00 2014 GMT)
Assessment:  Change your password on this site if your last password change was more than 2 weeks ago  

Uhhhh…. BAD!
I will be contacting them.

Reply

gravatar

I've Been Changing Passwords with RoboForm

From TechJessie on April 21, 2014 :: 4:35 pm

I must have changed about 10 passwords already.  I’ve always used RoboForm so the process is pretty easy.  I can’t imagine how people get along without a password manager.  Still…what a hassle the Heartbleed virus has been.

Reply

gravatar

Hi Josh,We have a release

From Tony Alves on April 22, 2014 :: 1:52 pm

Hi Josh,

We have a release of Chromebleed called Stopbleed in the store that follows development releases also.

Thanks for the write up.

Reply

© 2014 Techlicious LLC. :: Home | About | Meet the Team | Sponsorship Opportunities | Newsletter Archive | Contact Us :: Terms of Use | Privacy Policy

site design: Juxtaprose