Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
badkeys.info is a service for checking whether cryptographic public keys are affected by known vulnerabilities. It supports X.509 certificates, CSRs, PEM public and private keys, PKCS #1, PKCS #8, and SSH public keys. The site explicitly warns that while uploading private keys is technically supported, production private keys should not be uploaded — a critical point for safe use.
In terms of protection scope, badkeys is not focused on network perimeter defense, but rather on cryptographic key quality and leakage-risk detection. It covers the Debian OpenSSL bug, common prime factor issues, ROCA, keypair/Gitkraken, Fermat Attack, Wiener’s Attack, leaked Fortinet/Fortigate keys, and various “Public Private Keys.” It also checks for discouraged practices such as DSA, small or unusual RSA exponents, and small or unusual RSA key lengths. The main documentation indicates that most currently covered vulnerabilities affect RSA, while other key types may be expanded in the future, so it should not be treated as a full-spectrum key security audit platform for all algorithms.
Deployment options include online checks through the website and the badkeys software. The local software provides a Python library and command-line tools, and the official guidance also recommends using the software version when checking large numbers of keys. This makes it suitable for integration into bulk certificate inventories, SSH key audits, or CI security scripts. In terms of management and alerting, the available text does not show an account system, centralized console, alert notifications, reports, or audit logs, so there is not enough information to assess its enterprise operations capabilities.
The collected text does not disclose pricing, payment methods, commercial support, or compliance certifications. Enterprise users that require SLAs, contracts, data processing agreements, or compliance evidence should further verify the service operator, data handling practices, and local deployment options before adoption.
Its strengths are its specialized detection coverage, support for multiple real-world incidents and CVEs, and explanations of detection principles and limitations. Its drawbacks are that the scope is mainly limited to cryptographically weak keys, and some checks depend on known datasets, so it cannot guarantee discovery of all unknown weak keys. It is well suited to security researchers, PKI/TLS operations teams, certificate governance teams, firmware security analysts, and organizations that need to investigate historical weak RSA/SSH/TLS keys.
The source text does not provide information on access from China, so availability is unknown. If online access is unstable, it is recommended to use its local Python/CLI tools first. Alternative or complementary options may include OpenSSL, ssh-keygen, zlint, testssl.sh, certificate transparency search platforms, and enterprise certificate lifecycle management and key management systems.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on badkeys.info official site.
badkeys.info is an Germany Security provider. TG4G tracks its product information, an overall rating of 8.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach badkeys.info directly.