
Introducing Apex Discovery to secure every domain you actually own
Most tools will only test the domains you already know about. We’ve decided that’s not enough. TLDR: Detectify’s new Apex Discovery automatically identifies root domains …

Detectify
Today’s update brings you 21 new security modules that test your site for a range of vulnerabilities including more WordPress vulnerabilities and ROCA (vulnerable RSA generation).
An attacker can generate a valid private key based only on your certificate. This in turn lets them do anything one can do with your private key including encrypting traffic, decrypting traffic and impersonating your website.
The vulnerability comes from a software library used in cryptography hardware made by Infineon Technologies AG. The hardware has been used by several vendors for anything from TLS/HTTPS certificates to PGP and smart cards.
Anyone with a HTTPS certificate could potentially be vulnerable if they’re not sure how the keys were generated or if the keys were not generated in an environment they control. In practice relatively few HTTPS certificates were generated with Infineon hardware so most people should not actually be vulnerable.
While scanning, Detectify fingerprints your public key. If ROCA is one of your findings, we recommend you contact your certificate issuer for details. The certificate needs to be revoked and replaced with new ones without this vulnerability. It’s very important that the old certificates are revoked or they could still be used by an attacker to impersonate your website.
More details about CVE-2017-15361
How to test keys not connected to Detectify: Upload public key to https://keychest.net/roca or https://keytester.cryptosense.com to test your key.
Can I test PGP keys? Yes: Send a signed email to roca[at]keychest.net to obtain an automatic email response with the analysis of the signing key vulnerability.
Note all these services are third party services unrelated to Detectify.

Most tools will only test the domains you already know about. We’ve decided that’s not enough. TLDR: Detectify’s new Apex Discovery automatically identifies root domains …

We are launching the Detectify MCP Server to deliver real-time vulnerability data and attack surface insights directly into your AI-powered workflows. Built for developers and …