badkeys.info

Fill with test data

Success Stories

DKIM keys vulnerable to Debian OpenSSL bug: badkeys helped to discover that many DKIM keys were vulnerable to CVE-2008-0166 in 2024.
Fermat attack: badkeys discovered weak RSA keys generated by printer firmware that can be trivially broken with Fermat's factorization algorithm (CVE-2022-26320).
Certificates with ROCA keys: badkeys detected certificates used by Yahoo with keys vulnerable to the ROCA attack (2021).
New insights about historic Debian OpenSSL bug: During the development of badkeys, it was discovered that the 2008 Debian OpenSSL bug can also impact elliptic curve / ECDSA keys (2022).
Certificates with OpenSSL test keys: badkeys discovered certificates that used example private keys from OpenSSL (2021).

Vulnerabilities

The badkeys service checks for these vulnerabilities:

Furthermore, the following discouraged practices are checked:

This project was created by Hanno Böck. The code checking for vulnerable keys is available on Github.

badkeys is currently funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.

This work was initially funded in 2022 by Industriens Fond through the CIDI project (Cybersecure IOT in Danish Industry) and the Center for Information Security and Trust (CISAT) at the IT University of Copenhagen, Denmark.