vincentcox-work
commented
7 years ago Also experiencing this issue.
Open anantshri opened 7 years ago
vincentcox-work
commented
7 years ago Also experiencing this issue.
jedai47
commented
2 years ago Is the issue reproductible ? ie the false-positive always go on on some sites ?
BreakfastSerial
commented
1 year ago I also have the same issue. I can't disclose the service URL as it's only running internally and I signed an NDA.
For me sslscan-win-2.0.13>sslscan.exe and sslscan-2.0.15>sslscan.exe report:
Heartbleed:
TLSv1.3 vulnerable to heartbleed
TLSv1.2 vulnerable to heartbleedWhile other tools (sslyze, Burp Suite HeartBleed Extension) report the service isn't vulnerable to Heartbleed.
The behavior is also reproducible, but does it works as expected for domains such as example.com.
edit: I just noticed, the issue is from 2016, so I assume this is some weird edge-case.
dogasantos
commented
11 months ago same here. Running dozens of times on same target, it will eventually show it as vulnerable. But the heartbeat extension is not even present.
This is regarding the heartbleed checks.
I have had both false positives and false negatives on these from a long time and this doesn't seems to be reliable at all. Same site which is vulnerable to heartbleed get detected as vulnerable in some scan's but multiple parallel scan's result in false negative marking it as non-vulnerable. inverse also hold true to confirmed non vulnerable code (read ssl on IIS :P )
Not sure having this check which is not reliable as a default is serving much purpose. I propose moving this to optional check's and not making it a mandatory / default scan options.