Working closely with the German hosting company – manitu, heise is making available with immediate effect a realtime DNS-based blacklist service for identifying weak SSL keys. The provider already runs the Realtime Blacklist for the iX spam filter NiX Spam, which enables mail servers to identify and filter spam.
The principle of a DNS realtime blacklist is as simple as it is elegant. An application makes a DNS enquiry for
The SHA1 hash value from the certificate's modulus of the RSA key is used as the host name. All tests for weak SSL certificates use a similar fingerprinting, including the Debian Tools openssl-vulnkey and the heise networks SSL tests. The lists log keys with 512, 1024, 2048 and 4096-bits, both for 32- and 64-bit systems and little- or big-endian architectures.
Full article can be read from here.