No web site on the Internet is particularly unique. Below is a list of other "tester" web sites.
Website malware tests
- Oracle now has two automated Java tester pages (in the old days Sun had more). Both pages
report the currently installed version of Java and whether it is the latest and greatest (previously some of their tester
pages left this out). However, as befits a large organization and Oracle in
particular, the two pages do not always agree as to whether the latest version of Java is installed.
The pages are:
On March 4, 2013, I tried both pages on a Windows computer running Java 6 update 41, which was the latest version of
Java 6 at the time. The top page reported "Latest Java installed". The bottom page warned that "A newer version of
Java is available" and prompted me to download Java 7 Update 15.
March 5, 2013. After the release of Java 6 Update 43, I tested again.
The top tester page now initially warns that "An old version of Java has been detected on your system."
But, when I clicked on the "test the currently installed version of Java" link, it reported "Latest Java installed".
The bottom tester page now invokes a signed Java applet. Finally. Like yesterday, it warns that
"A newer version of Java is available" but it now prompts to download Java 7 Update 17.
- There are two manual ways to check the latest version of Java from Oracle
- WebRTC can leak public IP address while on VPN
- Test if WebRTC is enabled at https://diafygi.github.io/webrtc-ips/. The site "secretly makes requests to STUN servers that can
log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.)"
- Test for leakage at https://ipleak.net
- The WebRTC Leak Test at BrowserLeaks.com
- PrivacyTools.io has a WebRTC Leak Test
- Trickle ICE -
click on the red Bather Candidates button near the bottom of the page
- Read more about this from Mullvad VPN (undated) and from BestVPN (Nov. 2015). Note that
Internet Explorer and Safari are safe as they do not support WebRTC at all.
- Firefox: disable WebRTC -> about:config and toggle media.peerconnection.enabled to false
- Chrome requires an extension. WebRTC Leak Prevent works
with Chrome version 42 and newer, some options require Chrome version 48. The WebRTC Network Limiter
prevent IP leaks without fully disabling WebRTC functionality. It is an official Google extension.
- uBlock Origin can also help. See Prevent WebRTC from leaking local IP address
by Raymond Hill author of uBlock Origin.
- Website Security Tests:
- The SSL Labs SSL Server Test reports many techie details of the SSL
configuration on a server. From Qualys. This is well respected and has been around for a long time.
- Similar to the SSL Labs test, High-Tech Bridge offers an SSL Server Test
- Mozilla Observatory tests assorted security aspects. Released Aug. 2016.
- COMODO SSL Analyzer
- CryptCheck shows which cipher suites are used with TLS 1.2, which with TLS 1.1 and which with TLS 1.0. Also clearly shows whether Perfect Forward Secrecy is supported for each cipher suite (green PFS or orange NO PFS).
- The weakdh.org site can test for Logjam, weak Diffie Hellman keys and Forward Secrecy
- 10 Online Tool to Test SSL, TLS and Latest Vulnerability by Chandan Kumar July 2016
- The POODLE, FREAK, Logjam and Heartbleed sections of this page have links to test servers for these vulnerabilities
- Google has a Mobile-Friendly test
- Website Non-security Tests: Some of these merely claim to be speed testers but they all illuminate a lot about what goes under underneath a web page. For example, where the ads and trackers come from.
- Pingdom Tools has a website speed test and ping speed tests.
- Dotcom-Monitor offers similar tools and more.
- GTMetrix claims to give you insight on how well your site loads and provide recommendations on how to optimize it.
- Website Speed Test from KeyCDN.
- Google has a Page Speed Insights test that reports on mobile friendly issues.
- urlscan.io analyses websites and the resources they request. Much like the Inspector of your browser, it lets you see the individual resources that are requested when a site is loaded. This allows inexperienced users to see what a particular website is requesting in the background. By Jojo.
- Web Page Test is an open source project that is primarily being developed and supported by Google as part of our efforts to make the web faster.
- Web Server Vulnerability Scan with Nikto
- Web Cookies scans a website for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, supercookies, evercookies as well as SSL/TLS and HTTP security
BAD CERTIFICATES One way to verify that your browser is working correctly when it comes to validating certificates is to
purposely give it a bad certificate.
FREAK attack on SSL/TLS March 4, 2015. A 10 year old flaw in SSL/TLS encryption was uncovered. The flaw can exist both
in web browser and web server software.
SUPERFISH Feb. 2015. Lenovo pre-installed adware called superfish that broke HTTPS/SSL security on their Windows 8
Test for cellular ISP tracking beacons at lessonslearned.org/sniff by Kenn White.
ATT, Verizon, Sprint, Bell Canada and Vodacom are/were inserting "super cookies" into hidden web page headers when connected to
their 3G/4G data networks (does not apply with WiFi). If you are not being tracked the "Broadcast UID" is blank. The page explains the issue in detail. There is no HTTPS version of this page because the cellphone companies can not insert data into HTTPS traffic.
POODLE flaw in SSL v3 from October 2014. SSLv3 is old and buggy, POODLE will hopefully be the nail in the coffin that gets
software providers to remove it from both clients (mostly web browsers) and servers. These sites test either your
web browser or a website for the presence of SSL version 3. No support for SSL3 is the right answer.
Heartbleed from April 2014. Tests if a web server is vulnerable to the
Heartbleed flaw in OpenSSL.
Apple GoToFail bug from Feb 2014. Only applies to iOS 6, iOS7 and OS X 10.9. These tests only work in web browsers,
but if an Apple device is vulnerable, the problem also exists with many, if not most apps that use the operating system for SSL/TLS security.
- SSL Labs Server Test: https://www.ssllabs.com/ssltest/. If all is well
it will say "This server is not vulnerable to the Heartbleed attack. (Experimental)".
- Netcraft has a
browser plugin for Chrome, Firefox and Opera. Netcraft is very qualified for testing both Heartbleed and for certificate revocation.
- The Crowdstrike Heartbleed Scanner can not only scan remote servers it
can also scan your local area network. This lets it test for Heartbleed on your router, NAS or other local device. In addition, it tests many secure
services, such as email and FTP, whereas other scanners just focus on websites. Unlike all the other testers on this page, this is Windows
software that has to be downloaded. It is free, small and portable.
- https://lastpass.com/heartbleed from Lastpass. If all is well is
should say "Vulnerable: No" with the No in green.
- http://filippo.io/Heartbleed by Filippo Valsorda. My least favorite option.
UPnP Testers (see
my blog on this for more)
Port 32764 Testers (see
my blog on this for more)
- The Rapid7 UPnP Check
- Steve Gibson added UPnP testing to his ShieldsUP! service
in January 2013. On the first page, click on the gray Proceed button. On the next page, click on the yellow/orange
button for GRC's Instant UPnP Exposure Test.
- Rapid7 also offers an installable program called
ScanNow that scans a LAN for UPnP enabled devices and reports if the devices are running buggy versions of
UPnP software. The program only runs on Windows and requires 32 bit versions of either Java 6 or Jav 7. It is not
fully portable, but neither does it need to be installed. It requires an email address before it runs the first time.
Note: If you are behind a router with a firewall (as most of us are) then tests run from outside
your LAN (from the Internet) kick the tires on the firewall in your router, rather than the firewall on any of your computers.
DNS Server Tests:
Logjam flaw (May 2015):
Test your web browser:
- The weakdh.org website was created in May 2015 to document and test for the Logjam vulnerability.
If your browser is vulnerable there will be a red horizontal stripe at the top of the page saying "Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser." If all is well, a blue stripe will say
"Good News! Your browser is safe against the Logjam attack."
- The Guide to Deploying Diffie-Hellman for TLS at the weakdh.org site has a server test
- Qualys SSL Client Test shows whether the browser is vulnerable to
the Logjam flaw (among a lot of other information)
- TLS Logjam Check from KeyCDN can test if a server is vulnerable
Public IP Address:
- Test if the auto-fill feature of your browser is silently leaking information anttiviljami.github.io/browser-autofill-phishing
- How's My SSL? reports the version of SSL/TLS being used, whether the browser supports
forward secrecy, whether it is vulnerable to the BEAST attack and much more. Every test is explained reasonably well.
- whatbrowser.org displays, in simple language, the name of your web browser, its version and
whether it is the latest version.
- The YouTube HTML5 Video Player page shows if the browser is using Flash or HTML5
- Panopticlick from the EFF is a great example of browser fingerprinting. Sadly, you may be
- Qualys BrowserCheck scans your browser and plugins to see if they are up-to-date.
- Qualys SSL Labs also has an SSL Client Test that reports on the
SSL/TLS Capabilities of your web browser. This includes, but is not limited to, testing whether the browser is vulnerable to the Logjam, FREAK
and POODLE flaws.
- The weakdh.org website tests for the Logjam vulnerability. It is the home office for this flaw.
If your browser is vulnerable there will be a red horizontal stripe at the top of the page saying "Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser."
- Cipher Suites Supported by Your Browser from Leibniz University
reports on the SSL cipher suites your browser supports for securing HTTPS connections.
- The Mozilla Plugin Check. Originally, this only worked with Firefox, but in May 2010, it
was extended to work with other browsers as well.
Oct 19, 2014: This is very unreliable. Don't trust it. I have seen old plug-ins flagged as up to date too many times.
May 23, 2015: Support for other browsers has been withdrawn, it only supports Firefox
- The Cyscape Browser Capabilities Test Page relies on their BrowserHawk product.
Internet connection Speed Tests:
- At mxtoolbox.com you can look up the MX records for a domain. These mail exchanger records identify the recieving email server(s) for a domain.
- Test email for the availability of TLS at checktls.com. This feature encrypts email as it is sent from one email server to
- Inquire into SPF records for a domain at SPF Record Testing Tools from Kitterman Technical Services. Use this to see if a domain has an SPF record, what it is and whether it is valid or not.
- The dmarcia DMARC Inspector checks for and displays DMARC
records for a domain.
- Test the privacy of your email client at emailprivacytester.com by Mike Cardwell
Given a MAC address, find the company that it is assigned to at macvendors.com
- FLASH: SpeedTest.net is pretty much the unofficial standard.
It also exists as an app for iOS and Android. My previous favorite was SpeakEasy (now
- HTML5: The DSLreports.com speed test used to
is fast.com from Netflix. It only reports on download speed. Nothing about upload, ping, latency, jitter or bufferbloat. No ads either. Other HTML5 based speed tests are speedof.me, openspeedtest.com and
Check if your email address has been exposed in a data breach at haveibeenpwned.com
Check where a short URL really leads: checkshorturl.com
Infected thumb drives: In
Test your defenses against
malicious USB flash drives I provide a sample autorun.inf file that can be used on a thumb drive to test how well
a Windows machine is defended against malware that may live on a USB flash drive. January 2009.
Official documentation from Microsoft about how to block the installation of Windows 10 on computers running Windows 7 and 8: How to manage Windows 10 notification and upgrade options
Chose and review your Google privacy settings at https://myaccount.google.com/intro/privacy
Check if you are logged in to the TOR network at check.torproject.org
Test if a website is reachable from multiple locations at siteuptime.com.
Test if your credit card was stolen
The Social Network Login Status Detector Demo detects if you are logged in to Facebook, Twitter, Google or Google Plus.
Adobe has a Flash tester web page (they don't call it that)
that reports the currently installed version of Flash and the latest version for assorted browsers/OSs. Windows users need to run
this test for all browsers installed on their system as each can be using a different version of the
Flash player. My flashtester.org site has a version history of
Flash and provides a simple name to remember when looking for Adobe's Flash tester page.
The Adobe Flash Player Settings Manager are web pages that let you configure Flash cookies (a.k.a. local shared objects) as well
control how often Adobe checks for updates to the Flash player. For more from Adobe on this see: Flash
Player Help and How
to manage and disable Local Shared Objects.
- The Global
privacy settings page controls whether Flash based web sites can use your camera or microphone
Storage Settings control how much disk space websites can use to store information, or you can prohibit
websites from storing any information at all
Security Settings lets you specify if SWF or FLV content that uses older security rules can access the Internet.
Beats me too what that means.
- At the Website Privacy
Settings page you get a list of websites you've visited. For each you can specify rules about using your camera
or microphone or storing data on your computer.
- This what Adobe says about the Website
Storage Settings panel: "Use this panel to specify storage settings for any or all of the websites that have requested
permission to use your camera or microphone or to store information on your computer."
Test HTML5 local storage
Enter your name, then reload the page.
Eric Gerds Plugin Detection detects
Java, QuickTime, Flash, Shockwave,
Windows Media Player, DevalVR, Silverlight and the VLC Player.
Eric Gerd (above) does not report the latest version of QuickTime, but you can see it at Apple's QuickTime download page.
Firefox 3.5 Location-Aware Browsing: Click the Give it a try link and Firefox and Google
team up to locate you based on both your IP address and nearby Wi-Fi networks.
I'm glad to report that on a computer without Wi-Fi it was off by roughly two thousand miles.
The PC Pitstop Quick Program Scan is an ActiveX based test that
tells you what's running on your computer, including background processes. For each process, it reports who made it and
what it is. Most importantly, perhaps, processes are color coded based on threat level: unknown, safe, optional,
spyware/adware, virus. Only works with Internet Explorer and will not run if IE is run in restricted mode with DropMyRights.
The Conficker Eye Chart is a simple
web page that reports whether your computer is infected with the Conficker worm. Joe Stewart came up with the idea
and he has a copy of the same page at his personal website.
The H security also has an online Conficker tester.
(at least working on this site, it may not
browser supports and displays your browsers "user agent", a string of characters that websites can use to
identify which web browser you are using.
Adobe has a page which tests for Shockwave
This page used to test for both Flash and Shockwave, no more.
Adobe does not have an page that tests AIR, as far as I know. But they do have
instructions for manually
checking file properities on Windows, Mac OS X and Linux. On Windows, you can check in the Control Panel just
as with all other software.
Test your brain at the Prevention Magazine Brainpower
Assessment Quiz. They say to allow 15 minutes for the test.
The Intel Driver Update Utilities will (in theory)
auto-detect if you have Intel hardware for video, audio, Wi-Fi or Ethernet. Each is a separate utility and
they only support Windows.
If one of the utilities finds Intel hardware, then it reports whether you have the latest driver or not.
Each utility works with either IE using ActiveX or Firefox using Java. Be warned though,
I tested them and found they failed to
correctly detect Intel hardware most of the time.
ClickJacking demos put together by Steve Gibson in October 2008.
As of May 2009 the demos seem to have gone stale, not sure.
Test if your ISP is manipulating BitTorrent
traffic from the Max Planck Institute for Software Systems
Windows Update: Conficker and other malware blocks access to Windows Update.
A quick and easy way to verify that Windows Update is working correctly is to manually run Microsoft's
Malicious Software Removal Tool. In Windowx XP, do Start -> Run -> "mrt.exe". In Vista, click the Start
button and type "mrt" into the search box to locate the mrt.exe file. For more see my February 5, 2009
you don't know about the Windows Malicious Software Removal Tool.
Testing VRML plugins: cic.nist.gov/vrml/vbdetect.html
Mickey Segal has a Configuration
Test for Java that is very similar to the Version page here
Another Java tester is available from Duckware. They
also have an online tester for the bug in Java 7 Update 25
(and later?) that causes a Java warning message to display
the wrong program name. (added Aug 28, 2013)
Another Java tester is available at gemal.dk
as part of their BrowserSpy. Read more about BrowserSpy.
A low end Java tester is available from
Click and Learn has a browser tester in German that tests
Java, Flash, Acrobat, Windows Media player and more.
ScanIt has a web browser
security tester (a bit off this subject, but good to know)
www.mailtester.com validates an
email address and reports on the email server
www.dnsstuff.com offers domain name
tests, IP tests and hostname tests
PC Pitstop has an ActiveX
tester, very similar in concept to the Version page on this site. Martin
Heller has one too.
Testvirus.org allows you to send a harmless test virus to any email address. If
your mail server or email hosting provider is running anti-virus software, these emails should get blocked.
This isn't a tester, just a useful page. Microsoft's free
Office Online File Converters and
Who made that Ethernet network adapter? See the Wireshark
OUI Lookup Tool or query the IEEE directly.
You can also download the full list in plain text from the IEEE.
Is the router you are sitting behind enabled for IP version 6 (IPv6)? Test it at whatismyv6.com
Secure web pages are a sham. The page Test Secure Form
is a perfect example, the URL is HTTPS yet data entered
into the form is not secure. Yes, everything you have been told about website security is wrong.
CentralOps.net has a number of online techie networking tools. I like their
The ICSI Netalyzr tests your Internet connection for
signs of trouble. Very techie stuff. Requires Java. From their website: The International Computer Science
Institute (ICSI) is a leading center for research in computer science and one of the few independent,
non-profit research institutes in the United States.
Test your popup blocker at