// the find
FiloSottile/Heartbleed
A checker (site and tool) for CVE-2014-0160
A Go tool and web service that checks whether a host is vulnerable to the Heartbleed bug (CVE-2014-0160), the 2014 OpenSSL memory disclosure that let attackers read 64KB of server memory at a time. Written by Filippo Io during the actual crisis. Useful today only as a historical artifact or reference for how a targeted TLS exploit checker is structured.
Includes a vendored fork of Go's TLS stack with surgical modifications to actually send malformed heartbeat requests — not a port-scanner heuristic, a real exploit probe. STARTTLS support (SMTP, IMAP, etc.) was thoughtful; most checkers at the time only did HTTPS. Exit codes are machine-readable, so it could be scripted into a sweep. The core logic in heartbleed.go is short and easy to follow as a case study in writing a targeted protocol-level vulnerability checker.
Last meaningful commit was years before 2021; the 2021 touch was probably a trivial cleanup. Any server still vulnerable to Heartbleed in 2024 has bigger problems than this tool can solve — the practical use case is essentially zero. The server/ directory bundles an ancient pre-modules Go dependency tree (vendor-by-copy into _third_party) with DynamoDB logging infrastructure that is almost certainly not running anymore. No go.mod, so building it against a modern Go toolchain will require some archaeology.