Other Testers
No web site on the Internet is particularly unique. Below is a list of other "tester" web sites.
- Oracle now has two automated Java tester pages (in the old days Sun had more). Both pages
report the currently installed version of Java and whether it is the latest and greatest (previously some of their tester
pages left this out). However, as befits a large organization and Oracle in
particular, the two pages do not always agree as to whether the latest version of Java is installed.
The pages are:
On March 4, 2013, I tried both pages on a Windows computer running Java 6 update 41, which was the latest version of
Java 6 at the time. The top page reported "Latest Java installed". The bottom page warned that "A newer version of
Java is available" and prompted me to download Java 7 Update 15.
March 5, 2013. After the release of Java 6 Update 43, I tested again.
The top tester page now initially warns that "An old version of Java has been detected on your system."
But, when I clicked on the "test the currently installed version of Java" link, it reported "Latest Java installed".
The bottom tester page now invokes a signed Java applet. Finally. Like yesterday, it warns that
"A newer version of Java is available" but it now prompts to download Java 7 Update 17.
- There are two manual ways to check the latest version of Java from Oracle
- Spectre CPU Vulnerability check from Tencent labs
- SpecuCheck for Windows reports on the state of fixes for Meltdown and Spectre. Technically it should not be here as it is not an online tester, but rather a pair of EXE files you need to download and run.
- WebRTC can leak public IP address while on VPN
- Internet connection Speed Tests:
- fast.com is from Netflix. By default, it only reports on download speed, but you can get it to also test uploads by clicking the "Show More Info" button. It also reports on Latency. No ads/trackers. Do not run this while connected to a 4G/LTE network (long story).
- SpeedTest.net is pretty much the unofficial standard. Also available as an app for iOS and Android. Lots of ads and trackers.
- Cloudflare has a speed test at speed.cloudflare.com. Like SpeedTest.net it automatically runs the test against a Cloudflare server that is physically near you. Unlike SpeedTest.net, you can not change the server it tests with. For download speeds, it run multiple tests using four different sized files and reports on the speed for each file size. It also measures Latency and Jitter. It does not measure upload speed (as of June 2020). No ads/trackers. Like Fast.com it is good for non-techies as there is no button to click to run the test. In September 2020 I did some comparison of speed testers and this reported a much slower speed than all the others.
- The M-Lab Speed Test has no ads and takes about 10 seconds to run. Measurement Lab (M-Lab) provides the largest collection of open Internet performance data on the planet. They are a consortium of research, industry, and public-interest partners.
- The LibreSpeed Speedtest runs fairly quickly. No ads/trackers.
- The Open Broadband Speed Test at InternetHealthTest.org runs multiple speed tests from multiple locations, so it takes a while to complete.
- speedtest.pnl.gov employs a test from OpenSpeedtest.com. Hosted at Pacific Northwest National Laboratory
- The Cool Fast Internet Download Speed Test by Jerry Jongerius works in any web browser. Rather than report just one number, it shows a graph of the varying speed during the test (which takes about 15 seconds). Uses a single download socket.
- The SpeakEasy Speed Test has been around forever.
- Other speed tests: speedof.me, openspeedtest.com and www.bandwidthplace.com
- The Open Speed Test also reports Ping and Jitter
- The DSLreports.com speed test seems to have died, as of September 2020. It is the only one I know of that reports on Buffer Bloat.
- At speedtest.samknows.com you can see Latency, Jitter, Upload speed and Download speed very clearly. No ads.
- At testmy.net you can chose to test upload or download speed individually.
- Google:
- Website Security Tests:
- Website Non-security Tests: Some of these merely claim to be speed testers but they all illuminate a lot about what goes under underneath a web page. For example, where the ads and trackers come from.
- Pingdom Tools has a website speed test and ping speed tests.
- Dotcom-Monitor offers similar tools and more.
- Google has a Mobile-Friendly test
- GTMetrix claims to give you insight on how well your site loads and provide recommendations on how to optimize it.
- Website Speed Test from KeyCDN.
- Google has a Page Speed Insights test that reports on mobile friendly issues.
- urlscan.io analyses websites and the resources they request. Much like the Inspector of your browser, it lets you see the individual resources that are requested when a site is loaded. This allows inexperienced users to see what a particular website is requesting in the background. By Jojo.
- Web Page Test is an open source project that is primarily being developed and supported by Google as part of our efforts to make the web faster.
- Web Server Vulnerability Scan with Nikto
- Web Cookies scans a website for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, supercookies, evercookies as well as SSL/TLS and HTTP security
- cookieserve.com reports on the cookies set by a website.
Website malware and tracking tests
CHROMEBOOKS Newer ones get Linux apps and 5 years of bug fixes.
BAD CERTIFICATES One way to verify that your browser is working correctly when it comes to validating certificates is to
purposely give it a bad certificate.
Test for cellular ISP tracking beacons at lessonslearned.org/sniff by Kenn White.
ATT, Verizon, Sprint, Bell Canada and Vodacom are/were inserting "super cookies" into hidden web page headers when connected to
their 3G/4G data networks (does not apply with WiFi). If you are not being tracked the "Broadcast UID" is blank. The page explains the issue in detail. There is no HTTPS version of this page because the cellphone companies can not insert data into HTTPS traffic.
www.displayhz.com shows the actual Hertz of your computer display. By Jerry Jongerius
Test your web browser:
- Test if the auto-fill feature of your browser is silently leaking information anttiviljami.github.io/browser-autofill-phishing
- The Cloudflare Browsing Experience Security Check tests if your browser encrypted the Server Name Indicator when accessing the site. The one thing that has always leaked with SSL/TLS was the name of the visited website. TLS 1.3 has an option to encrypt the website name called Encrypted SNI. Firefox 92, Chrome 93 and Brave 1.30.86 (on Windows) all failed the Encrypted SNI test (Sept 2021).
It also tests for the presence of TLS 1.3 (it should be in use), secure DNS and DNSSEC. In my tests it was never sure about secure DNS.
- How's My SSL? reports the version of SSL/TLS being used, whether the browser supports
forward secrecy, whether it is vulnerable to the BEAST attack and much more. Every test is explained reasonably well.
- www.deviceinfo.me reports a ton of information about your web browser and its environment.
- Panopticlick from the EFF was a great example of browser fingerprinting. It has been replaced by coveryourtracks.eff.org which tests how well you are protected from both tracking and fingerprinting.
- Qualys BrowserCheck scans your browser and plugins to see if they are up-to-date.
- Qualys SSL Labs also has an SSL Client Test that reports on the
SSL/TLS Capabilities of your web browser. This includes, but is not limited to, testing whether the browser is vulnerable to the Logjam, FREAK
and POODLE flaws.
- The weakdh.org website tests for the Logjam vulnerability. It is the home office for this flaw.
If your browser is vulnerable there will be a red horizontal stripe at the top of the page saying "Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser."
- The Mozilla Plugin Check. Originally, this only worked with Firefox, but in May 2010, it
was extended to work with other browsers as well.
Oct 19, 2014: This is very unreliable. Don't trust it. I have seen old plug-ins flagged as up to date too many times.
May 23, 2015: Support for other browsers has been withdrawn, it only supports Firefox
- The YouTube HTML5 Video Player page shows if the browser is using Flash or HTML5
- The Cyscape Browser Capabilities Test Page relies on their BrowserHawk product.
Public IP Address:
- IPChicken is my favorite website for reporting on your IP address. The
"Name Address" field often makes the ISP name obvious.
- ip.me from Proton also shows the location of the public IP address
- Dyn offers a minimal interface: checkip.dyndns.com.
- Synology also offers a minimal interface: checkip.synology.com.
- Some VPN providers post both your IP address and your ISP at the top of their home page. Some that do this are
PrivateInternetAccess, NordVPN and IVPN. Tunnelbear offers the same information
at bearsmyip.com.
- VPN provider Perfect Privacy reports your public IP address for both IPv4 and IPv6 along
with your physical location and a DNS server.
- whoer.net reports your public IP address, your ISP and a ton of information about your
computer
- This page www.ip-adress.com/what_is_my_ip/ reports the usual stuff and adds some information about your browser.
- A Google search for "ip" returns your public IP address. A duckduckgo.com search for "ip" returns both your public IP address and your
location.
- Find other websites hosted on a given IP address at yougetsignal.com/tools/web-sites-on-web-server
- And, you can also find other websites hosted on a given IP address at https://www.urlvoid.com/ip/1.2.3.4 (obviously change the IP address)
IP version 6 (IPv6) Public IP address:
Physical Location:
Host name(s):
Given an IP address, find the name of the computer, a.k.a. its hostname.
Router/Firewall Testers
The tests that were here are now included in my Router Security site
DNS Server Tests:
The tests that were here are now included in my Router Security site
Email:
- At mxtoolbox.com you can look up the MX records for a domain. These mail exchanger records identify the recieving email server(s) for a domain.
- Test email for the availability of TLS at checktls.com. This feature encrypts email as it is sent from one email server to
another.
- Inquire into SPF records for a domain at SPF Record Testing Tools from Kitterman Technical Services. Use this to see if a domain has an SPF record, what it is and whether it is valid or not.
- The dmarcia DMARC Inspector checks for and displays DMARC
records for a domain.
- Test the privacy of your email client at emailprivacytester.com by Mike Cardwell
Given a MAC address, find the company that it is assigned to at macvendors.com or macvendorlookup.com or macaddress.io or whatsmyip.org/mac-address-lookup
The Outgoing port tester at portquiz.net listens on all TCP ports, allowing you to test any outbound TCP port. The one exception seems to be the file sharing port 445.
Check if your email address has been exposed in a data breach at haveibeenpwned.com
Check how your ad/tracker blocking is working at d3ward.github.io/toolz/src/adblock by Eduard Ursu
Check where a short URL really leads: checkshorturl.com and urlxray.com (HTTP only)
Infected thumb drives: In
Test your defenses against
malicious USB flash drives I provide a sample autorun.inf file that can be used on a thumb drive to test how well
a Windows machine is defended against malware that may live on a USB flash drive. January 2009.
Official documentation from Microsoft about how to block the installation of Windows 10 on computers running Windows 7 and 8: How to manage Windows 10 notification and upgrade options
Chose and review your Google privacy settings at https://myaccount.google.com/intro/privacy
Check if you are logged in to the TOR network at check.torproject.org
Test if a website is reachable from multiple locations at siteuptime.com.
Test if your credit card was stolen
The Social Network Login Status Detector Demo detects if you are logged in to Facebook, Twitter, Google or Google Plus.
Adobe has a Flash tester web page (they don't call it that)
that reports the currently installed version of Flash and the latest version for assorted browsers/OSs. Windows users need to run
this test for all browsers installed on their system as each can be using a different version of the
Flash player. My flashtester.org site has a version history of
Flash and provides a simple name to remember when looking for Adobe's Flash tester page.
The Adobe Flash Player Settings Manager are web pages that let you configure Flash cookies (a.k.a. local shared objects) as well
control how often Adobe checks for updates to the Flash player. For more from Adobe on this see: Flash
Player Help and How
to manage and disable Local Shared Objects.
- The Global
privacy settings page controls whether Flash based web sites can use your camera or microphone
- Global
Storage Settings control how much disk space websites can use to store information, or you can prohibit
websites from storing any information at all
- Global
Security Settings lets you specify if SWF or FLV content that uses older security rules can access the Internet.
Beats me too what that means.
- At the Website Privacy
Settings page you get a list of websites you've visited. For each you can specify rules about using your camera
or microphone or storing data on your computer.
- This what Adobe says about the Website
Storage Settings panel: "Use this panel to specify storage settings for any or all of the websites that have requested
permission to use your camera or microphone or to store information on your computer."
Test HTML5 local storage.
Enter your name, then reload the page.
Test the DNS configuration for a domain at Zonemaster in Swedish or in English. A very extensive report, for techies only.
The DNS Propagation Checker at www.whatsmydns.net is really for webmasters. It reports on DNS information from multiple DNS servers around the world.
Eric Gerds Plugin Detection detects
Java, QuickTime, Flash, Shockwave,
Windows Media Player, DevalVR, Silverlight and the VLC Player.
Eric Gerd (above) does not report the latest version of QuickTime, but you can see it at Apple's QuickTime download page.
The Conficker Eye Chart is a simple
web page that reports whether your computer is infected with the Conficker worm. Joe Stewart came up with the idea
and he has a copy of the same page at his personal website.
The JavaScript tester page on this site verifies if JavaScript is working
(at least working on this site, it may not
work on other sites if you use the Firefox NoScript extension), reports the version of JavaScript your web
browser supports and displays your browsers "user agent", a string of characters that websites can use to
identify which web browser you are using.
Adobe has a page which tests for Shockwave
(alternate link).
This page used to test for both Flash and Shockwave, no more.
Adobe does not have an page that tests AIR, as far as I know. But they do have
instructions for manually
checking file properities on Windows, Mac OS X and Linux. On Windows, you can check in the Control Panel just
as with all other software.
Test your brain at the Prevention Magazine Brainpower
Assessment Quiz. They say to allow 15 minutes for the test.
LCD MONITORS
Learn about Firefox Location-Aware Browsing at Does Firefox share my location with websites?
There used to an online demo but it has been removed. Firefox and Google
locate you based on both your IP address and nearby Wi-Fi networks.
The Intel Driver Update Utilities will (in theory)
auto-detect if you have Intel hardware for video, audio, Wi-Fi or Ethernet. Each is a separate utility and
they only support Windows.
If one of the utilities finds Intel hardware, then it reports whether you have the latest driver or not.
Each utility works with either IE using ActiveX or Firefox using Java. Be warned though,
I tested them and found they failed to
correctly detect Intel hardware most of the time.
ClickJacking demos put together by Steve Gibson in October 2008.
As of May 2009 the demos seem to have gone stale, not sure.
Test if your ISP is manipulating BitTorrent
traffic from the Max Planck Institute for Software Systems
Windows Update: Conficker and other malware blocks access to Windows Update.
A quick and easy way to verify that Windows Update is working correctly is to manually run Microsoft's
Malicious Software Removal Tool. In Windowx XP, do Start -> Run -> "mrt.exe". In Vista, click the Start
button and type "mrt" into the search box to locate the mrt.exe file. For more see my February 5, 2009
blog posting
What
you don't know about the Windows Malicious Software Removal Tool.
Testing VRML plugins: cic.nist.gov/vrml/vbdetect.html
Mickey Segal has a Configuration
Test for Java that is very similar to the Version page here
Another Java tester is available from Duckware. They
also have an online tester for the bug in Java 7 Update 25
(and later?) that causes a Java warning message to display
the wrong program name. (added Aug 28, 2013)
Another Java tester is available at gemal.dk
as part of their BrowserSpy. Read more about BrowserSpy.
A low end Java tester is available from
upshot.com
Click and Learn has a browser tester in German that tests
Java, Flash, Acrobat, Windows Media player and more.
ScanIt has a web browser
security tester (a bit off this subject, but good to know)
www.mailtester.com validates an
email address and reports on the email server
www.dnsstuff.com offers domain name
tests, IP tests and hostname tests
This isn't a tester, just a useful page. Microsoft's free
Office Online File Converters and
Viewers
Who made that Ethernet network adapter? See the Wireshark
OUI Lookup Tool or query the IEEE directly.
You can also download the full list in plain text from the IEEE.
Secure web pages are a sham. The page Test Secure Form
is a perfect example, the URL is HTTPS yet data entered
into the form is not secure. Yes, everything you have been told about website security is wrong.
WhoIs lookup at DomainTools.com
WhoIs lookup at DNS Simple
DNSdumpster.com discovers host names related to a domain
builtwith.com is used to find out what websites are built with
CentralOps.net has a number of online techie networking tools. I like their
NsLookup and
Domain Dossier.
The ICSI Netalyzr tests your Internet connection for
signs of trouble. Very techie stuff. Requires Java. From their website: The International Computer Science
Institute (ICSI) is a leading center for research in computer science and one of the few independent,
non-profit research institutes in the United States.
Apple GoToFail bug from Feb 2014. Only applies to iOS 6, iOS7 and OS X 10.9. These tests only work in web browsers,
but if an Apple device is vulnerable, the problem also exists with many, if not most apps that use the operating system for SSL/TLS security.
See Wired.
POODLE flaw in SSL v3 from October 2014. SSLv3 is old and buggy, POODLE will hopefully be the nail in the coffin that gets
software providers to remove it from both clients (mostly web browsers) and servers. These sites test either your
web browser or a website for the presence of SSL version 3. No support for SSL3 is the right answer.
Heartbleed from April 2014. Tests if a web server is vulnerable to the
Heartbleed flaw in OpenSSL.
- SSL Labs Server Test: https://www.ssllabs.com/ssltest/. If all is well
it will say "This server is not vulnerable to the Heartbleed attack. (Experimental)".
Read more.
- Netcraft has a
browser plugin for Chrome, Firefox and Opera. Netcraft is very qualified for testing both Heartbleed and for certificate revocation.
Recommended.
- The Crowdstrike Heartbleed Scanner can not only scan remote servers it
can also scan your local area network. This lets it test for Heartbleed on your router, NAS or other local device. In addition, it tests many secure
services, such as email and FTP, whereas other scanners just focus on websites. Unlike all the other testers on this page, this is Windows
software that has to be downloaded. It is free, small and portable.
- https://lastpass.com/heartbleed from Lastpass. If all is well is
should say "Vulnerable: No" with the No in green.
- http://filippo.io/Heartbleed by Filippo Valsorda. My least favorite option.
FREAK attack on SSL/TLS March 4, 2015. A 10 year old flaw in SSL/TLS encryption was uncovered. The flaw can exist both
in web browser and web server software.
SUPERFISH Feb. 2015. Lenovo pre-installed adware called superfish that broke HTTPS/SSL security on their Windows 8
consumer PCs.
Logjam flaw (May 2015):
- The weakdh.org website was created in May 2015 to document and test for the Logjam vulnerability.
If your browser is vulnerable there will be a red horizontal stripe at the top of the page saying "Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser." If all is well, a blue stripe will say
"Good News! Your browser is safe against the Logjam attack."
- The Guide to Deploying Diffie-Hellman for TLS at the weakdh.org site has a server test
- Qualys SSL Client Test shows whether the browser is vulnerable to
the Logjam flaw (among a lot of other information)
- TLS Logjam Check from KeyCDN can test if a server is vulnerable
Test your popup blocker at
