1

One of the services I use is saying they were unaffected by heartbleed. But when I check their site with the tool at http://possible.lv/tools/hb/, this is what it says: 

Looking for TLS extensions on https://xxxxxxxxxx

ext 65281 (renegotiation info, length=1)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.

I was under the impression that heartbeat was previously considered benign, and people have only been disabling it in the past couple of days if they didn't want to upgrade OpenSSL. Is there any reason a server might have had it disabled all along?

Alternately, is it possible that the tool could be returning this response if they're using different SSL software that never had heartbeat available? Is there a way I can get more complete information on this?

octern
  • 180
  • 1
  • 9
  • 1
    Heartbeat was introduced in OpenSSL 1.0.1. Some servers run the 0.9.8 suite which is before heartbeat was implemented, so it's either a) patched, or b) running a non-affected version. – Nathan C Apr 09 '14 at 18:25

2 Answers2

3

No. "Disabled" means here that the client announced support of the heartbeat extension, and the server failed to respond with "hey, I know that one too ! Let's heartbeat together !".

This term does not mean that the heartbeat extension was supported, but then removed in some way. This information is not accessible from the outside. All that can be known is whether the server currently appears to handle heartbeats, or not.

Since Linux distributions promptly pushed fixes through normal security update mechanisms (as befits the case), it is expected that any decently managed server has been fixed by now, or soon will be. Servers which have the bug and keep on having it are servers which are poorly maintained, meaning that they quite probably already have bigger security holes.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thanks, this is the critical information I was looking for. I have no reason to disbelieve what they told me, as long as the "disabled" result isn't *inconsistent* with "we were never vulnerable." – octern Apr 09 '14 at 18:47
  • One specific way to get a "heartbeat extension disabled" message is to test a server running OpenSSL 0.9.8: that version pre-dates the implementation of the "heartbeat" extension and accompanying bug. – Mark Apr 09 '14 at 20:11
1

In short, there's no way to explicitly say it was previously vulnerable. Like Nathan mentioned in his comment, servers that had not upgraded from 0.9.8 wouldn't have had heartbeat available, meaning that the server was safe from Heartbleed. If they were vulnerable and they have since turned off the heartbeat functionality, then you would have no way of knowing. If you are still worried about your information regarding the service, try to contact the administrator and ask them personally. If they were previously affected, there is a LOT more they have to do to remedy Heartbleed than just turn off the heartbeat.

Jason Higgins
  • 647
  • 4
  • 8