The recently uncovered massive Heartbleed vulnerability affecting 66% of websites is currently being patched by many companies, but several online services already offer users the means to test whether a website is still affected by the Heartbleed vulnerability. However, checking to see whether a site uses flawed OpenSSL protocol is actually in violation of Internet laws and could land users in jail, at least theoretically, The Register reports.
According to the U.S. Computer Fraud and Abuse Act, and the U.K. Computer Misuse Act, it is illegal to test the security of third-party websites without their permission. Therefore, Heartbleed testing, and any other security checks on a website such as the ones performed by security researchers, could be punished with jail time if such laws were actually enforced.
“I would say [checking for Heartbleed] would certainly contravene the Computer Misuse Act in the UK,” computer security researcher David Litchfield said on Twitter. “This is no different than say testing to see if a site is vulnerable to SQL injection. It’s not legal without permission.”
“Under UK law you could argue running scans is just about criminal,” Percy Crow Davis & Co IT lawyer Dai Davis told the publication. “It’s not in the spirit of the law but the Computer Misuse Act is badly written.”
Those who want to know whether the sites they visit are secure have various online options to check for Heartbleed — if they don’t mind breaking the law — including a handy Chrome plugin.
