As the widespread panic over the Heartbleed vulnerability (CVE-2014-0160) affecting some versions of OpenSSL, the open source cryptographic library used in everything from applications and websites to corporate networks, more than a few “health check” websites have popped up offering users tools to check various sites for the presence of the vulnerability – but this may put you at risk of breaking some serious laws.
The issue was first raised by Veracode’s Chris Wysopal, and other security experts believe that while checking to see if a particular site may be using a vulnerable version of OpenSSL may be copasetic, any further probing could violate the Computer Fraud and Abuse Act (CFAA) in the U.S, and the UK’s Computer Misuse Act.
“I would say it would certainly contravene the Computer Misuse Act in the UK,” Tweeted security researcher David Litchfield, “This is no different than say testing to see if a site is vulnerable to SQL injection. It’s not legal without permission.”
Dai Davis, a lawyer who specializes in information technology, agrees, stating that “under UK law you could argue running scans is just about criminal. It’s not in the spirit of the law but the Computer Misuse Act is badly written.”
Akamai’s Martin McKeay tweeted that while it may not be legal, “vast numbers of otherwise ethical security professionals are testing every site on the internet,” so the question remains as to whether this non-malicious act will be deemed criminal in the eyes of the law.
Such probing should only be done by professional penetration testers who have legally contracted with an organization to engage in such activities, and curious security researchers and the public should take heed of the warnings and not put themselves in jeopardy unnecessarily.
“If you plan to run these tools against infrastructure that you don’t own, you are probably breaking a few laws in the process, since these tools do not just check OpenSSL version numbers, but actually execute a limited attack which retrieves a small block of memory from the running server,” said Daniel Ingevaldson from anti-fraud vendor Easy Solutions.
Read More Here…