1

I know that the vulnerability exploits the Heartbeat response which is a TLS feature. Now, when testing some of my important sites, there was some wording that scared me, namely:

TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.

Does that means that there's another possible vulnerability related to Heartbeat, or the wording is like that just to leave the possibility of other vulnerabilities and don't make me feel safe?

Improve this question
3
  • It's like anything in security. The absence of a positive result does not prove a negative result. It's still up to you if you want to check what implementation of TLS you're relying on.
    – John Deters
    Commented Apr 9, 2014 at 0:22
  • @JohnDeters ok, but that means that those servers are safe of that vulnerability?
    – Braiam
    Commented Apr 9, 2014 at 0:39
  • 3
    It only means they passed one specific test. Nobody can promise complete safety, ever.
    – John Deters
    Commented Apr 9, 2014 at 3:09

1 Answer 1

Reset to default
1

These "heartbleed" testing services work by attempting to perform the OpenSSL TLS heartbeat exploit and seeing if it is successful. There are three possible outcomes:

1) The server accepts the malformed "heartbeat" packet and drops it. In this case, you can be reasonably certain the server is unaffected (or that a firewall or other service is protecting it).

2) The server accepts the packet and returns random memory contents in its response. In this case, you know for certain that the server is vulnerable.

However, you're encountering another option:

3) The server states that it does not support the TLS heartbeat option. It's reasonable to assume the server is safe, but you can't be certain. It's possible, for example, that the server is using the vulnerable version of the OpenSSL library and can be tricked into accepting a TLS heartbeat packet.

Improve this answer

Not the answer you're looking for? Browse other questions tagged .