Invalid-Curve-Vulnerability/EN
Check for the Invalid Curve vulnerability.
If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.
Result positive | Not vulnerable to Invalid Curve attacks. |
Result negativ | Vulnerable to Invalid Curve attacks. |
Description | The server is vulnerable to an Invalid Curve attack. This allows an attacker to steal the secret key of your certificate. After that, all your future connections will also be compromised, as well as parts of your past communication. |
Background | For cryptographic encryption, elliptic curves must be selected very carefully because the keys are created from certain points on a curve, which is not easy to do. |
Consequence | The server is vulnerable through an implementation vulnerability that allows an attacker to decrypt the communication and to steal the private key of your certificate. |
Solution/Tips | If vulnerabilities have been reported, immediately install an update to your TLS implementation on your server. You should also replace your certificate, as it may already have been compromised. |