Who runs this service?

This free tool is provided by Cryptosense, a start-up making software which helps companies find and fix security flaws in systems that use cryptography.

What is this tool for?

The Cryptosense Discovery application can find Internet-facing services protected by cryptography and evaluate the security of the crypto they use.

How is it different from other similar sites?

There are many web-based tools for evaluating crypto services. Ours is different in two ways: one is that it attempts to discover hosts and services for analysis rather than requiring the user to know exactly where the crypto is before using it. The second is it tries to explain the findings in detail in terms of standards and known attacks, to allow a risk evaluation, rather than just flagging things as red or green.

How do I get an A?

From the "Check results" page where you can see your score, click on "Get help" to get a remediation report. You will receive a PDF with instructions on how to fix the configuration of your SSH and web servers.

How can I contact you?

If you came across a security issue, or if our application is causing trouble to your infrastructure, or you just have a comment on the results, please contact us here.

How are the scores calculated?

We explain our rationale in this blog post.

If my server gets an A, does that mean it is secure?

An A means the cryptography that we were able to detect is up to date with our standards. The server may have plenty of other vulnerabilities not related to cryptography at all, or an application being served over secure crypto may have application-level vulnerabilities like XSS or SQL injection bugs. There may also be crypto services running that we didn't detect, because our scans were blocked or because they are running on non-standard ports.

Additionally, some crypto flaws such as poor key-management are hard or impossible to detect from an external scan. For this, we have other tools.

Are there any other limitations?

Several, including the following:

  • While our recommendations are aimed towards mitigating vulnerabilities, we don't perform intrusive tests that accurately determine whether a given vulnerability really affects a server.
  • Certificate chains and related TLS or HTTP extensions (e.g. OCSP, HSTS, HPKP) are not analyzed.
  • When rating ciphersuites offered by a server, we don't attempt to account for the suites offered by clients and what the final suite used will be as a result. This information is widely available for web browsers but harder to come by for SMTP or IMAP clients. This is something we may add to the site in future.

How does the tool work?

This web application stands on great open-source software, including: