X

Chromebleed alerts sites vulnerable to Heartbleed

Chrome extension Chromebleed runs in the background and warns you when you open a site that has yet to be patched for the Heartbleed bug.

Matt Elliott Senior Editor
Matt Elliott is a senior editor at CNET with a focus on laptops and streaming services. Matt has more than 20 years of experience testing and reviewing laptops. He has worked for CNET in New York and San Francisco and now lives in New Hampshire. When he's not writing about laptops, Matt likes to play and watch sports. He loves to play tennis and hates the number of streaming services he has to subscribe to in order to watch the various sports he wants to watch.
Expertise Laptops, desktops, all-in-one PCs, streaming devices, streaming platforms
Matt Elliott
2 min read

heartbleed.png

The Heartbleed bug is one of the biggest security flaws the Internet has known. Internet research firm Netcraft estimates that as many as 500,000 websites could be affected. Since hackers can exploit Heartbleed to steal user data -- Canadian police yesterday arrested a man who allegedly used Heartbleed to steal user data from the government's tax website -- the call has gone out for users to change their passwords for affected sites. It does you no good, however, to change your password for a site until the site has been patched.

How do you know if a site is still at risk? You could check a site yourself by plugging its URL into a tool from LastPass or Qualys, or you could check our list of the top 100 sites to see which have been patched. Either method, however, requires you to initiate the check. An easier way is to install Chromebleed, a Chrome extension that runs in the background and pops up a warning when you visit a site that is vulnerable to Heartbleed, requiring no additional effort on your part after simply clicking to install it.

Chromebleed was developed by an Italian programmer, Filippo Valsorda, who has his own Heartbleed site checker here.

When you install the extension, it'll add a small button with the Heartbleed icon to the right of Chrome's URL bar. When you visit a site that is vulnerable, it'll display a warning like so:

Chromebleed warning
Screenshot by Matt Elliott/CNET

By default, Chromebleed does nothing for sites that have been patched against Heartbleed. By right-clicking on the Chromebleed button and selecting Options, you can check a box to Show All Notifications. With this setting enabled, you will get an alert for every site you visit, good or bad. Here is an example of a good notification:

Chromebleed good alert
Screenshot by Matt Elliott/CNET

In my experience (on a Mac), Chromebleed's alerts had to be manually closed, so I don't advise turning on all notifications. Most sites I visit have been patched, and Chromebleed's notifications quickly became overwhelming.

Chromebleed settings
Screenshot by Matt Elliott/CNET

Chromebleed was recently updated to version 2.0, which adds the Heartbleed icon to Google search results when a site listed is still affected by Heartbleed. Despite searching for sites to be known to be vulnerable, I did not see any Heartbleed icons in my Google search results.

Still, Chromebleed's primary purpose of alerting me to vulnerable sites makes me feel safer online in the wake of Heartbleed.

For more on the Heartbleed bug, I direct your attention to our Heartbleed FAQ page.