This seem legit...

To clarify: DO NOT DO THIS.<p>1. Never give your private key to anyone<p>2. Especially not if it is sent over an unencrypted connection (the site doesn&#x27;t even use https)<p>3. Don&#x27;t. Just don&#x27;t.<p>This is either the weakest attempt of the NSA to collect private SSL keys ever, or this company actually has zero knowledge of the product they&#x27;re selling and shouldn&#x27;t be trusted with your site&#x27;s security

Apparently the feature is widespread:<p><a href="https://www.sslshopper.com/certificate-key-matcher.html" rel="nofollow">https:&#x2F;&#x2F;www.sslshopper.com&#x2F;certificate-key-matcher.html</a><p><a href="http://www.ssltools.com/cert_key_match" rel="nofollow">http:&#x2F;&#x2F;www.ssltools.com&#x2F;cert_key_match</a><p><a href="https://certificatesssl.com/ssl-tools/match-ssl-details.html" rel="nofollow">https:&#x2F;&#x2F;certificatesssl.com&#x2F;ssl-tools&#x2F;match-ssl-details.html</a><p><a href="http://www.mobilefish.com/services/privatekey_match_certificate/privatekey_match_certificate.php" rel="nofollow">http:&#x2F;&#x2F;www.mobilefish.com&#x2F;services&#x2F;privatekey_match_certific...</a><p><a href="http://sslchecker.com/matcher" rel="nofollow">http:&#x2F;&#x2F;sslchecker.com&#x2F;matcher</a>

I contacted their support:<p>Me: I wanted to know more about your certificate key matcher isn&#x27;t the private key always meant to remain... private?<p>Emanuele: Yes, it should. We offer the tool to help verify the correspondence SSL certificate it is lost.<p>Me: But it would be sent over HTTP and viewable to anyone along the network.<p>Emanuele: The page can also be accessed through HTTPS.<p>Me: I think it should be enforced. Also something like this should be done client side. Perhaps using crypto.js<p>Emanuele: OK, I will pass your comment to our General manager.

Hi,<p>The tool was made available for customers to legitimately check if the Private Key matched the SSL Certificate that was being installed - a common question and feature request from our customers.<p>However, upon review of the comments made in the internet community we have made a decision to remove this specific tool and to review all other tools that we make publicly available via our websites.<p>We also saw a heavy attempt to hack&#x2F;abuse this tool over the past few hours, perhaps to look for exploits, an action I find absurd for those who make out to be security conscious.<p>I welcome any further comments on how we can improve our service and do hope that our actions to remove the tool today were prompt and satisfactory.<p>Zane Lucas General Manager Trustico Online Limited

BITCOIN ADDRESS MATCHER<p>Want to make sure that your bitcoin address works? Just send money to<p>1JqjU7zBvbhyrDFjtJG6xAwMm5BUVmtpau<p>and if you don&#x27;t receive an error, you can rest assured that your bitcoin address works!

Related: <a href="http://www.inutile.ens.fr/estatis/password-security-checker/" rel="nofollow">http:&#x2F;&#x2F;www.inutile.ens.fr&#x2F;estatis&#x2F;password-security-checker&#x2F;</a>

It would be really cool if they parsed the issuer from the certificate you provided, and informed your CA that your private key was just compromised if the key matched.

So I tweeted them earlier and just got this response:<p>&quot;Hello, the tool will be removed from all our websites within the next 30 minutes. Thanks.&quot;<p><a href="https://twitter.com/MrTrustico/status/395905251313586176" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;MrTrustico&#x2F;status&#x2F;395905251313586176</a>

Wow, at first I seriously thought this site was a fake copy of the official Trustico site (they have trustico.ca, trustico.com, etc)... but the form exists on all their sites:<p><a href="http://www.trustico.ca/ssltools/match/cert-and-key-pem/check-if-certificate-and-key-match.php" rel="nofollow">http:&#x2F;&#x2F;www.trustico.ca&#x2F;ssltools&#x2F;match&#x2F;cert-and-key-pem&#x2F;check...</a>

Woah, I couldn&#x27;t ever envisage ever trusting a &quot;security company&quot; that not only encouraged you to disclose your private key, but also provided a form for doing it over a non encrypted connection!<p>My personal opinion is don&#x27;t use these guys; this is either a school boy error&#x2F;complete incompetence or totally dubious.

But has a verysign logo. It has be trustworthy.

I just tested the form with a key+cert pair I created for this sole purpose. It actually performs as advertised - it checks if key and cert belong together.

Hello,<p>that tool will be removed from all our websites within the next 30 minutes.<p>Trustico Online Limited

I had these guys @reply me on Twitter when I tweeted about how it&#x27;s easier to figure out what cipher suite to use compared to figuring out what SSL product I need.<p>They were helpful but thank god I didn&#x27;t buy a cert from them: this page is a terrible, terrible idea that erodes their trust completely.

And it&#x27;s been taken down. This is still up though and just as bad:<p><a href="http://www.trustico.ch/ssltools/convert/pem-key-to-der/convert-pem-private-key-to-der.php" rel="nofollow">http:&#x2F;&#x2F;www.trustico.ch&#x2F;ssltools&#x2F;convert&#x2F;pem-key-to-der&#x2F;conve...</a>

At the very least, I hope a successful submission is rewarded by a redirect to: <a href="http://www.youtube.com/watch?v=awK0NrgHUbk" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=awK0NrgHUbk</a>

This should be a feature on the NSA website.

&quot;The page you have tried to access is not responding properly and we can&#x27;t display it at the moment.&quot; - looks like they are embarrassed enough to take it down. Anyone have the original text for me to snigger at? Way-back machine and Google don&#x27;t seem to have it cached.

haha, Its hilarious, reminded me of this <a href="http://d24w6bsrhbeh9d.cloudfront.net/photo/350850_700b_v1.jpg" rel="nofollow">http:&#x2F;&#x2F;d24w6bsrhbeh9d.cloudfront.net&#x2F;photo&#x2F;350850_700b_v1.jp...</a>

I was hoping it was at least javascript...

What was it?

Brilliant.