heise Online releases the heise SSL Guardian
In the light of our recent findings regarding a proliferation of weak SSL keys that threaten the security of online financial transactions, heise Online has made available a tool to help protect users.
During online financial transactions or logins to some secure system, https connections are often used to transfer important data, such as passwords, PINs, or credit card numbers. However, an error in the Debian Linux distribution has generated numerous certificates that are straightforward to crack. As many servers still use these weak keys, we have developed the heise SSL Guardian which will check the SSL certificates and warn you when it detects a weak one.
We now supply two tests for determining the use of weak keys in certificates. The first of these is the heise networks SSL test. This is to enable owners of certificates, such as an online shop, to test their own key to see if it is weak. If is it, then an error message is displayed, such as the one in the following example:
The latest test is for users, and this is the new heise SSL Guardian. This is for users who might be logging into a private system or shopping online. If when connecting to a secured site a weak key is encountered, an error message is displayed such as this:
The above tests were run on Monday 7th July. The company concerned, pppay.com, an organisation for sending money by email, was informed before publication.