No web site on the Internet is particularly unique. Below is a list of other "tester" web sites.
- Oracle now has two automated Java tester pages (in the old days Sun had more). Both pages
report the currently installed version of Java and whether it is the latest and greatest (previously some of their tester
pages left this out). However, as befits a large organization and Oracle in
particular, the two pages do not always agree as to whether the latest version of Java is installed.
The pages are:
On March 4, 2013, I tried both pages on a Windows computer running Java 6 update 41, which was the latest version of
Java 6 at the time. The top page reported "Latest Java installed". The bottom page warned that "A newer version of
Java is available" and prompted me to download Java 7 Update 15.
March 5, 2013. After the release of Java 6 Update 43, I tested again.
The top tester page now initially warns that "An old version of Java has been detected on your system."
But, when I clicked on the "test the currently installed version of Java" link, it reported "Latest Java installed".
The bottom tester page now invokes a signed Java applet. Finally. Like yesterday, it warns that
"A newer version of Java is available" but it now prompts to download Java 7 Update 17.
- There are two manual ways to check the latest version of Java from Oracle
- BAD CERTIFICATES One way to verify that your browser is working correctly when it comes to validating certificates is to
purposely give it a bad certificate.
- FREAK attack on SSL/TLS March 4, 2015. A 10 year old flaw in SSL/TLS encryption was uncovered. The flaw can exist both
in web browser and web server software.
- SUPERFISH Feb. 2015. Lenovo pre-installed adware called superfish that broke HTTPS/SSL security on their Windows 8
- Test for cellular ISP tracking beacons at lessonslearned.org/sniff by Kenn White.
ATT, Verizon, Sprint, Bell Canada and Vodacom are/were inserting "super cookies" into hidden web page headers when connected to
their 3G/4G data networks (does not apply with WiFi). If you are not being tracked the "Broadcast UID" is blank. The page explains the issue in detail. There is no HTTPS version of this page because the cellphone companies can not insert data into HTTPS traffic.
- POODLE flaw in SSL v3 from October 2014. SSLv3 is old and buggy, POODLE will hopefully be the nail in the coffin that gets
software providers to remove it from both clients (mostly web browsers) and servers. These sites test either your
web browser or a website for the presence of SSL version 3. No support for SSL3 is the right answer.
- Heartbleed from April 2014. Tests if a web server is vulnerable to the
Heartbleed flaw in OpenSSL.
- SSL Labs Server Test: https://www.ssllabs.com/ssltest/. If all is well
it will say "This server is not vulnerable to the Heartbleed attack. (Experimental)".
- Netcraft has a
browser plugin for Chrome, Firefox and Opera. Netcraft is very qualified for testing both Heartbleed and for certificate revocation.
- The Crowdstrike Heartbleed Scanner can not only scan remote servers it
can also scan your local area network. This lets it test for Heartbleed on your router, NAS or other local device. In addition, it tests many secure
services, such as email and FTP, whereas other scanners just focus on websites. Unlike all the other testers on this page, this is Windows
software that has to be downloaded. It is free, small and portable.
- https://lastpass.com/heartbleed from Lastpass. If all is well is
should say "Vulnerable: No" with the No in green.
- http://filippo.io/Heartbleed by Filippo Valsorda. My least favorite option.
- Apple GoToFail bug from Feb 2014. Only applies to iOS 6, iOS7 and OS X 10.9. These tests only work in web browsers,
but if an Apple device is vulnerable, the problem also exists with many, if not most apps that use the operating system for SSL/TLS security.
- UPnP Testers (see
my blog on this for more)
- The Rapid7 UPnP Check
- Steve Gibson added UPnP testing to his ShieldsUP! service
in January 2013. On the first page, click on the gray Proceed button. On the next page, click on the yellow/orange
button for GRC's Instant UPnP Exposure Test.
- Rapid7 also offers an installable program called
ScanNow that scans a LAN for UPnP enabled devices and reports if the devices are running buggy versions of
UPnP software. The program only runs on Windows and requires 32 bit versions of either Java 6 or Jav 7. It is not
fully portable, but neither does it need to be installed. It requires an email address before it runs the first time.
- Port 32764 Testers (see
my blog on this for more)
- Router/Firewall Testers
Note: If you are behind a router with a firewall (as most of us are) then tests run from outside
your LAN (from the Internet) kick the tires on the firewall in your router, rather than the firewall on any of your computers.
- DNS Server Tests:
- Logjam flaw (May 2015):
- The weakdh.org website was created in May 2015 to document and test for the Logjam vulnerability.
If your browser is vulnerable there will be a red horizontal stripe at the top of the page saying "Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser." If all is well, a blue stripe will say
"Good News! Your browser is safe against the Logjam attack."
- The Guide to Deploying Diffie-Hellman for TLS at the weakdh.org site has a server test
- Qualys SSL Client Test shows whether the browser is vulnerable to
the Logjam flaw (among a lot of other information)
- TLS Logjam Check from KeyCDN can test if a server is vulnerable
- Test your web browser:
- How's My SSL? reports the version of SSL/TLS being used, whether the browser supports
forward secrecy, whether it is vulnerable to the BEAST attack and much more. Every test is explained reasonably well.
- whatbrowser.org displays, in simple language, the name of your web browser, its version and
whether it is the latest version.
- The YouTube HTML5 Video Player page shows if the browser is using Flash or HTML5
- Panopticlick from the EFF is a great example of browser fingerprinting. Sadly, you may be
- Qualys BrowserCheck scans your browser and plugins to see if they are up-to-date.
- Qualys SSL Labs also has an SSL Client Test that reports on the
SSL/TLS Capabilities of your web browser. This includes, but is not limited to, testing whether the browser is vulnerable to the Logjam, FREAK
and POODLE flaws.
- The weakdh.org website tests for the Logjam vulnerability. It is the home office for this flaw.
If your browser is vulnerable there will be a red horizontal stripe at the top of the page saying "Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser."
- Cipher Suites Supported by Your Browser from Leibniz University
reports on the SSL cipher suites your browser supports for securing HTTPS connections.
- The Mozilla Plugin Check. Originally, this only worked with Firefox, but in May 2010, it
was extended to work with other browsers as well.
Oct 19, 2014: This is very unreliable. Don't trust it. I have seen old plug-ins flagged as up to date too many times.
May 23, 2015: Support for other browsers has been withdrawn, it only supports Firefox
- The Cyscape Browser Capabilities Test Page relies on their BrowserHawk product.
- Test a server:
- The SSL Labs SSL Server Test reports many techie details of the SSL
configuration on a server. From Qualys. This is well respected and has been around for a long time.
- The POODLE, FREAK, Logjam and Heartbleed sections of this page have links to test servers for these vulnerabilities
- Google has a Mobile-Friendly test
- Google also has a Page Speed Insights test that reports on mobile friendly issues.
- When I blogged about
Perfect Forward Secrecy in June 2013, I was not aware of any way to test if a particular browser supported PFS (of course the website has to
also support it). Since then I ran across Calomel.org which only allows connections from web browsers that support PFS. In other words, if you can view the website, your browser supports Perfect Forward Secrecy. On Windows 7, IE 10 can see the site, but IE 9 can not. (added Nov. 1, 2013)
- WebRTC can leak public IP address while on VPN
- Public IP Address:
- At mxtoolbox.com you can look up the MX records for a domain. These mail exchanger records identify the recieving email server(s) for a domain.
- Test email for the availability of TLS at checktls.com. This feature encrypts email as it is sent from one email server to
- Inquire into SPF records for a domain at SPF Record Testing Tools from Kitterman Technical Services. Use this to see if a domain has an SPF record, what it is and whether it is valid or not.
- The dmarcia DMARC Inspector checks for and displays DMARC
records for a domain.
- Test the privacy of your email client at emailprivacytester.com by Mike Cardwell
Check if your email address has been exposed in a data breach at haveibeenpwned.com
- Internet speed tests using Flash: SpeedTest.net is pretty much the unofficial standard.
It also exists as an app for iOS and Android. My previous favorite was SpeakEasy (now
- Internet speed tests using HTML5: The DSLreports.com speed test used to
is fast.com from Netflix. It only reports on download speed. Nothing about upload, ping, latency, jitter or bufferbloat. No ads either. Another HTML5 based speed test is speedof.me.
- Website speed tests:Pingdom Tools has a website speed test and ping speed tests.
Dotcom-Monitor offers similar tools and more.
Infected thumb drives: In
Test your defenses against
malicious USB flash drives I provide a sample autorun.inf file that can be used on a thumb drive to test how well
a Windows machine is defended against malware that may live on a USB flash drive. January 2009.
Official documentation from Microsoft about how to block the installation of Windows 10 on computers running Windows 7 and 8: How to manage Windows 10 notification and upgrade options
Chose and review your Google privacy settings at https://myaccount.google.com/intro/privacy
Check if you are logged in to the TOR network at check.torproject.org
Test if a website is reachable from multiple locations at siteuptime.com.
Test if your credit card was stolen
The Social Network Login Status Detector Demo detects if you are logged in to Facebook, Twitter, Google or Google Plus.
TESTING WEBSITES FOR MALWARE
- Unmask Parasites tests if a web page contains
hidden illicit content.
- The Virus Total URL Scanner gets opinions from
over 30 different sources.
- Test if a web site is blacklisted by either Google, Firefox, Chrome or Norton Safe Web at
- OpenDNS has a
- Web of Trust is in the website good guy/bad guy business.
They offer web browser plugins for IE and Firefox but on their site you can get their rating of any
website without installing software.
- Zscaler Zulu URL Risk Analyzer
- Norton Safe Web from Symantec
- SiteAdvisor from McAfee
- Wepawet is a service for detecting and
PDF files. From the Computer Security Group in the Department of Computer Science
at the University of California, Santa Barbara.
- Sucuri Security Scanner from Sucuri
- LinkScanner from AVG
- Google has a safe browsing feature that offers their opinion on the safety of a
web site. There doesn't seem to be direct link to it, but
click here to see
the rating of this site. It should be obvious from the URL how to get the rating for other sites.
- Much like this list, Lenny Zeltser has is own list of Free Online Tools
for Looking Up Potentially Malicious Websites
Adobe has a Flash tester web page (they don't call it that)
that reports the currently installed version of Flash and the latest version for assorted browsers/OSs. Windows users need to run
this test for all browsers installed on their system as each can be using a different version of the
Flash player. My flashtester.org site has a version history of
Flash and provides a simple name to remember when looking for Adobe's Flash tester page.
The Adobe Flash Player Settings Manager are web pages that let you configure Flash cookies (a.k.a. local shared objects) as well
control how often Adobe checks for updates to the Flash player. For more from Adobe on this see: Flash
Player Help and How
to manage and disable Local Shared Objects.
- The Global
privacy settings page controls whether Flash based web sites can use your camera or microphone
Storage Settings control how much disk space websites can use to store information, or you can prohibit
websites from storing any information at all
Security Settings lets you specify if SWF or FLV content that uses older security rules can access the Internet.
Beats me too what that means.
Notifications Settings is where you configure how you want to be notified about updates to the Flash Player
- At the Website Privacy
Settings page you get a list of websites you've visited. For each you can specify rules about using your camera
or microphone or storing data on your computer.
- This what Adobe says about the Website
Storage Settings panel: "Use this panel to specify storage settings for any or all of the websites that have requested
permission to use your camera or microphone or to store information on your computer."
Test HTML5 local storage
Enter your name, then reload the page.
Eric Gerds Plugin Detection detects
Java, QuickTime, Flash, Shockwave,
Windows Media Player, DevalVR, Silverlight and the VLC Player.
Eric Gerd (above) does not report the latest version of QuickTime, but you can see it at Apple's QuickTime download page.
Firefox 3.5 Location-Aware Browsing: Click the Give it a try link and Firefox and Google
team up to locate you based on both your IP address and nearby Wi-Fi networks.
I'm glad to report that on a computer without Wi-Fi it was off by roughly two thousand miles.
The PC Pitstop Quick Program Scan is an ActiveX based test that
tells you what's running on your computer, including background processes. For each process, it reports who made it and
what it is. Most importantly, perhaps, processes are color coded based on threat level: unknown, safe, optional,
spyware/adware, virus. Only works with Internet Explorer and will not run if IE is run in restricted mode with DropMyRights.
The Conficker Eye Chart is a simple
web page that reports whether your computer is infected with the Conficker worm. Joe Stewart came up with the idea
and he has a copy of the same page at his personal website.
The H security also has an online Conficker tester.
(at least working on this site, it may not
browser supports and displays your browsers "user agent", a string of characters that websites can use to
identify which web browser you are using.
Adobe has a page which tests for Shockwave
This page used to test for both Flash and Shockwave, no more.
Adobe does not have an page that tests AIR, as far as I know. But they do have
instructions for manually
checking file properities on Windows, Mac OS X and Linux. On Windows, you can check in the Control Panel just
as with all other software.
Test your brain at the Prevention Magazine Brainpower
Assessment Quiz. They say to allow 15 minutes for the test.
The Intel Driver Update Utilities will (in theory)
auto-detect if you have Intel hardware for video, audio, Wi-Fi or Ethernet. Each is a separate utility and
they only support Windows.
If one of the utilities finds Intel hardware, then it reports whether you have the latest driver or not.
Each utility works with either IE using ActiveX or Firefox using Java. Be warned though,
I tested them and found they failed to
correctly detect Intel hardware most of the time.
ClickJacking demos put together by Steve Gibson in October 2008.
As of May 2009 the demos seem to have gone stale, not sure.
Test if your ISP is manipulating BitTorrent
traffic from the Max Planck Institute for Software Systems
Windows Update: Conficker and other malware blocks access to Windows Update.
A quick and easy way to verify that Windows Update is working correctly is to manually run Microsoft's
Malicious Software Removal Tool. In Windowx XP, do Start -> Run -> "mrt.exe". In Vista, click the Start
button and type "mrt" into the search box to locate the mrt.exe file. For more see my February 5, 2009
you don't know about the Windows Malicious Software Removal Tool.
Testing VRML plugins: cic.nist.gov/vrml/vbdetect.html
Mickey Segal has a Configuration
Test for Java that is very similar to the Version page here
Another Java tester is available from Duckware. They
also have an online tester for the bug in Java 7 Update 25
(and later?) that causes a Java warning message to display
the wrong program name. (added Aug 28, 2013)
Another Java tester is available at gemal.dk
as part of their BrowserSpy. Read more about BrowserSpy.
A low end Java tester is available from
Click and Learn has a browser tester in German that tests
Java, Flash, Acrobat, Windows Media player and more.
ScanIt has a web browser
security tester (a bit off this subject, but good to know)
www.mailtester.com validates an
email address and reports on the email server
www.dnsstuff.com offers domain name
tests, IP tests and hostname tests
PC Pitstop has an ActiveX
tester, very similar in concept to the Version page on this site. Martin
Heller has one too.
Testvirus.org allows you to send a harmless test virus to any email address. If
your mail server or email hosting provider is running anti-virus software, these emails should get blocked.
This isn't a tester, just a useful page. Microsoft's free
Office Online File Converters and
Who made that Ethernet network adapter? See the Wireshark
OUI Lookup Tool or query the IEEE directly.
You can also download the full list in plain text from the IEEE.
Is the router you are sitting behind enabled for IP version 6 (IPv6)? Test it at whatismyv6.com
Secure web pages are a sham. The page Test Secure Form
is a perfect example, the URL is HTTPS yet data entered
into the form is not secure. Yes, everything you have been told about website security is wrong.
CentralOps.net has a number of online techie networking tools. I like their
The ICSI Netalyzr tests your Internet connection for
signs of trouble. Very techie stuff. Requires Java. From their website: The International Computer Science
Institute (ICSI) is a leading center for research in computer science and one of the few independent,
non-profit research institutes in the United States.
Test your popup blocker at