How to run http://filippo.io/Heartbleed/ / https://github.com/FiloSottile/Heartbleed yourself
http://filippo.io/Heartbleed/ is a great service to the community.
I wouldn’t recommend testing hosts againt an online tool. All you do is create a log for a security savvy person with vulnerable hosts. While not quite the same, this is similar to uploading private keys or passwords to a service to check if they are secure.
Luckily it is easy to run the software locally, as the author was so kind to provide the source. I don’t read go very well, but a cursory glance suggests that the software does what it says on the tin, so we don’t worry about it phoning home.
This is the first time I’m building a go project, so I have to install go first. brew install go is easily done. You can get binary distributions for your OS from the go homepage: https://code.google.com/p/go/downloads/list
Heartbleed depends on a few other modules and I’m sure there is a fancy module system I can use, but I have no time to learn that right now (comments are open :), so I’m patching the source a little (see below), to make source imports local. I also clone git clone https://github.com/davecgh/go-spew.git into the Heartbleed top level directory.
See https://gist.github.com/janl/10107626#comment-1207459 for how to install the dependencies.
To build the thing, run go build.
Then I can run Heartbleed locally without creating a log elsewhere:
./Heartbleed example.com:443
> git diff
diff --git a/bleed.go b/bleed.go
index f017e57..aa36d40 100644
--- a/bleed.go
+++ b/bleed.go
@@ -1,7 +1,7 @@
package main
import (
- bleed "github.com/FiloSottile/Heartbleed/bleed"
+ bleed "./bleed"
"log"
"os"
)
diff --git a/bleed/heartbleed.go b/bleed/heartbleed.go
index afe8b41..cfd9dd1 100644
--- a/bleed/heartbleed.go
+++ b/bleed/heartbleed.go
@@ -4,8 +4,8 @@ import (
"bytes"
"encoding/binary"
"errors"
- "github.com/FiloSottile/Heartbleed/tls"
- "github.com/davecgh/go-spew/spew"
+ "../tls"
+ "../go-spew/spew"
"time"
)