Tests and Questions
possible.lv heartbleed test @ http://possible.lv/tools/hb/
results follow:
/Looking for TLS extensions on https://blog.avast.com
ext 65281 (renegotiation info, length=1)
ext 00011 (EC point formats, length=4)
ext 00035 (session ticket, length=0)
ext 00015 (heartbeat, length=1) ← Your server supports heartbeat. Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.
Actively checking if CVE-2014-0160 works: Your server appears to be patched against this bug.
Checking your certificate
Certificate is valid before 0day. ← Your stuff may be compromised. Consider changing the certificate and passwords.
//
Looking for TLS extensions on https://forum.avast.com
ext 65281 (renegotiation info, length=1)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.
/end of results
LastPass Heartbleed checker @ https://lastpass.com/heartbleed
results follow:
/WARNING: forum.avast.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK
Site: forum.avast.com
Server software: ASW
Was vulnerable: Possibly (might use OpenSSL, but we can’t tell)
SSL Certificate: Possibly Unsafe (created 3 months ago at Jan 15 00:00:00 2014 GMT)
Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
//
WARNING: blog.avast.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK
Site: blog.avast.com
Server software: nginx
Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 3 months ago at Jan 15 00:00:00 2014 GMT)
Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
/end results
[b]These results appear to show Avast may have fixed SSL but certificates are still showing old issue dates.
I am client and and do not maintain SSL certificates but have question regarding the re-keying versus revoke and re-issue.
When re-keying a certificate does CA give the certificate new issue date and keep old expire date ??
Question being some are saying re-keying and not revoking certificate will take care of security issue but is that reflected in the
certificate dates ??[/b]
These two sites maybe considered low priority and do not merit cost versus risk of buying new certificates but the client may stop
trusting the old certificates. Right or Wrong ??