Thursday, July 3, 2008

SSL Blacklist Service - Free of charge

DNS blacklist for weak SSL keys

Working closely with the German hosting company – manitu, heise is making available with immediate effect a realtime DNS-based blacklist service for identifying weak SSL keys. The provider already runs the Realtime Blacklist for the iX spam filter NiX Spam, which enables mail servers to identify and filter spam.

The principle of a DNS realtime blacklist is as simple as it is elegant. An application makes a DNS enquiry for .weakSSLkeys.dnsbl.manitu.net, which arrives at the name server responsible for the weakSSLkeys.dnsbl.manitu.net domain. It checks in its lists to see whether the string – host name is there. If it is, the DNS server responds with the IP address 127.0.0.2; if it cannot find the string, it responds with 127.0.0.3. DNS blacklists normally use NXDOMAIN for a negative result. It makes little sense to do so here, however, as under certain circumstances, certificate tests cannot determine the exact error code of the DNS lookup.

The SHA1 hash value from the certificate's modulus of the RSA key is used as the host name. All tests for weak SSL certificates use a similar fingerprinting, including the Debian Tools openssl-vulnkey and the heise networks SSL tests. The lists log keys with 512, 1024, 2048 and 4096-bits, both for 32- and 64-bit systems and little- or big-endian architectures.

Full article can be read from here.

No comments: