Chromebleed alerts sites vulnerable to Heartbleed
Chrome extension Chromebleed runs in the background and warns you when you open a site that has yet to be patched for the Heartbleed bug.
The Heartbleed bug is one of the biggest security flaws the Internet has known. Internet research firm Netcraft estimates that as many as 500,000 websites could be affected. Since hackers can exploit Heartbleed to steal user data -- Canadian police yesterday arrested a man who allegedly used Heartbleed to steal user data from the government's tax website -- the call has gone out for users to change their passwords for affected sites. It does you no good, however, to change your password for a site until the site has been patched.
How do you know if a site is still at risk? You could check a site yourself by plugging its URL into a tool from LastPass or Qualys, or you could check our list of the top 100 sites to see which have been patched. Either method, however, requires you to initiate the check. An easier way is to install Chromebleed, a Chrome extension that runs in the background and pops up a warning when you visit a site that is vulnerable to Heartbleed, requiring no additional effort on your part after simply clicking to install it.
Chromebleed was developed by an Italian programmer, Filippo Valsorda, who has his own Heartbleed site checker here.
When you install the extension, it'll add a small button with the Heartbleed icon to the right of Chrome's URL bar. When you visit a site that is vulnerable, it'll display a warning like so:
By default, Chromebleed does nothing for sites that have been patched against Heartbleed. By right-clicking on the Chromebleed button and selecting Options, you can check a box to Show All Notifications. With this setting enabled, you will get an alert for every site you visit, good or bad. Here is an example of a good notification:
In my experience (on a Mac), Chromebleed's alerts had to be manually closed, so I don't advise turning on all notifications. Most sites I visit have been patched, and Chromebleed's notifications quickly became overwhelming.
Chromebleed was recently updated to version 2.0, which adds the Heartbleed icon to Google search results when a site listed is still affected by Heartbleed. Despite searching for sites to be known to be vulnerable, I did not see any Heartbleed icons in my Google search results.
Still, Chromebleed's primary purpose of alerting me to vulnerable sites makes me feel safer online in the wake of Heartbleed.
For more on the Heartbleed bug, I direct your attention to our Heartbleed FAQ page.