Skip to content ↓ | Skip to navigation ↓

As the widespread panic over the Heartbleed vulnerability (CVE-2014-0160) affecting some versions of OpenSSL, the open source cryptographic library used in everything from applications and websites to corporate networks, more than a few “health check” websites have popped up offering users tools to check various sites for the presence of the vulnerability – but this may put you at risk of breaking some serious laws.

The issue was first raised by Veracode’s Chris Wysopal, and other security experts believe that while checking to see if a particular site may be using a vulnerable version of OpenSSL may be copasetic, any further probing could violate the Computer Fraud and Abuse Act (CFAA) in the U.S, and the UK’s Computer Misuse Act.

“I would say it would certainly contravene the Computer Misuse Act in the UK,” Tweeted security researcher David Litchfield, “This is no different than say testing to see if a site is vulnerable to SQL injection. It’s not legal without permission.”

Dai Davis, a lawyer who specializes in information technology, agrees, stating that “under UK law you could argue running scans is just about criminal. It’s not in the spirit of the law but the Computer Misuse Act is badly written.”

Akamai’s Martin McKeay tweeted that while it may not be legal, “vast numbers of otherwise ethical security professionals are testing every site on the internet,” so the question remains as to whether this non-malicious act will be deemed criminal in the eyes of the law.

Such probing should only be done by professional penetration testers who have legally contracted with an organization to engage in such activities, and curious security researchers and the public should take heed of the warnings and not put themselves in jeopardy unnecessarily.

“If you plan to run these tools against infrastructure that you don’t own, you are probably breaking a few laws in the process, since these tools do not just check OpenSSL version numbers, but actually execute a limited attack which retrieves a small block of memory from the running server,” said Daniel Ingevaldson from anti-fraud vendor Easy Solutions.

Read More Here…

Tripwire University
  • Tom Bakry

    What about tools like Chrome browser addon that alerts to site vulnerability? The user community is between a rock and a hard place, waiting for all of the under-resourced sites to proactively inform them regarding their security status. If a user cannot depend on a given website communicating their status, clearly they cannot defend themselves against data loss.

  • Phil

    So it is not illegal to continue to run a compromised server allowing individuals information to potentially be intercepted (such as bank password and username). I for one have made certain, prior to any banking online connections, that any connection I am making is secure. I also note that most banks continue to use TLS1.0 and have not migrate to TLS1.2 which is poor practice considering that TLS1.2 has been pushed by NSA and ASD as a more secure form of encryption.
    We should be thankful that banks have to hold the can for their poor security practices when it comes to criminals emptying our accounts.
    P.S. I also note that in the U.S of A. that the opening of a bank account or the use of an EFTPOS machines does not require any formal ID which is a big reason why 'not to do any online transactions with unknown companies in the U.S.A.' as it is open to fraud, where other parts of the world require positive identification to open bank accounts or set up credit card EFTPOS facilities.

    • Thanks for the additional info Phil…