This addon uses an en external server operated by Mozilla to check if a site is vulnerable to Heartbleed. This server is running a fork
of Filippo Valsorda's Heartbleed checker
. The first time you visit a new site with https after installing the add-on, a request will be made to that server with the hostname of the site (only the hostname is communicated, not the full URL) to check its vulnerability status. This status is cached locally in your browser by the add-on, and re-checked a regular intervals afterwards (this ensures you will get updates when sites are patched, but don't leak your browsing history to the service). The server does not keep logs of IP addresses. It does cache the vulnerabilty status of each hostname it receives for a limited period of time for performance.