badkeys
Find broken cryptographic keys
badkeys
Tool and webpage that allow checking cryptographic public keys
for known vulnerabilities
Example: DKIM keys
In early 2024, around 0,25% of DKIM keys vulnerable to
Debian OpenSSL bug from 2008
@cisco.com, @oracle.com, @skype.net, @github.partners,
@partner.crowdstrike.com, @partners.dropbox.com, @1password.com
Plans
- Infrastructure for regular monitoring of DKIM, DNSSEC,
and WebPKI certificates for vulnerable keys
- Automated revocation service for WebPKI
- Expansion of coverage of "public private keys"
Thanks for listening!
If you work in security (pentests, etc.), I encourage you
to make badkeys part of your toolset.