Watchtower and heartbleed

Clement · May 2014

Watchtower is a great feature, but is shows vulnerabilities to Heartbleed when a different heart bleed testing site does not. https://filippo.io/Heartbleed/

I assume that your test is a newer or better test?

Thanks

mikebore · May 2014

Watchtower has listed HSBC and Barclays as vulnerable but every other source I can find says they not affected. Who to believe?

mikebore · May 2014

Credibility is also my problem with it. Two of my banks (HSBC Barclays) appear in my Watchtower list, but every other source says they were not affected.

loscamos · May 2014

+1 for this. same problem.

Megan · May 2014

Hi @Clement, @mikebore, and @loscamos,

I'll do my best to explain a bit more about how Watchtower checks for vulnerabilities here.

Watchtower has 3 criteria that it checks for:

Server Vulnerability
Reissued security certificates
Old security certificated revoked.

Any discrepancy between Watchtower and another site is likely due to un-revoked certificates. Some vulnerability will remain when the old security certificates haven't been revoked, but certainly not as much as with the other two issues.

I hope that helps to explain why Watchtower might rate things differently than some other sites. If you do have further questions, don't hesitate to ask!

mikebore · May 2014

Thanks Megan. So it sounds like we need a manual way to get items off the list if we want too?

Just noticed that my three HSBC bank items have disappeared off the list without action from me....except I just updated to 1P 4.4.1 beta 1.

Meek · May 2014

Hi @mikebore,

We are continually updating the Watchtower database, so I am guessing that this is what happened here.

Watchtower and heartbleed

Comments