DNS blacklist for weak SSL keys
Working closely with the German hosting company – manitu, heise is making available with immediate effect a realtime DNS-based blacklist service for identifying weak SSL keys. The provider already runs the Realtime Blacklist for the iX spam filter NiX Spam, which enables mail servers to identify and filter spam.
The principle of a DNS realtime blacklist is as simple as it is elegant. An application makes a DNS enquiry for <hash>.weakSSLkeys.dnsbl.manitu.net, which arrives at the name server responsible for the weakSSLkeys.dnsbl.manitu.net domain. It checks in its lists to see whether the string – host name is there. If it is, the DNS server responds with the IP address 127.0.0.2; if it cannot find the string, it responds with 127.0.0.3. DNS blacklists normally use NXDOMAIN for a negative result. It makes little sense to do so here, however, as under certain circumstances, certificate tests cannot determine the exact error code of the DNS lookup.
The SHA1 hash value from the certificate's modulus of the RSA key is used as the host name. All tests for weak SSL certificates use a similar fingerprinting, including the Debian Tools openssl-vulnkey and the heise networks SSL tests. The lists log keys with 512, 1024, 2048 and 4096-bits, both for 32- and 64-bit systems and little- or big-endian architectures.
All tools for the SLL certificate test can be used for the SLL blacklist service, which saves having to download and maintain the weak key lists, which now contain around 1.2 million entries. The service is provided free of charge. As only the key's hash value is sent, there is no problem with confidentiality. Also, it is not possible to ascertain the server addresses or the URL being used from the hash value.