This free tool is provided by Cryptosense, a start-up making software which helps companies find and fix security flaws in systems that use cryptography.
The Cryptosense Discovery application can find Internet-facing services protected by cryptography and evaluate the security of the crypto they use.
There are many web-based tools for evaluating cryptographic services. Ours is different in two ways: one is that it attempts to discover hosts and services for analysis rather than requiring the user to know exactly where the cryptography is before using it. The second is it tries to explain the findings in detail in terms of standards and known attacks, to allow a risk evaluation, rather than just flagging things as red or green.
From the "Check results" page where you can see your score, click on "Get help" to get a remediation report. You will receive a PDF with instructions on how to fix the configuration of your SSH and web servers.
If you came across a security issue, or if our application is causing trouble to your infrastructure, or you just have a comment on the results, please contact us here.
We explain our rationale in this blog post.
An A means the cryptography that we were able to detect is up to date with our standards. The server may have plenty of other vulnerabilities not related to cryptography at all, or an application being served over secure cryptography may have application-level vulnerabilities like XSS or SQL injection bugs. There may also be crypto services running that we didn't detect, because our scans were blocked or because they are running on non-standard ports.
Additionally, some cryptographic flaws such as poor key management are hard or impossible to detect from an external scan. For this, we have other tools.
Several, including the following:
This web application stands on great open-source software, including: