I crave your collective indulgence.

You are all, I assume, aware of the Debian weak keys issue.
No doubt any
of you affected by it have already updated your systems,
retired your
old keys and generated new ones. However, not everyone out
there is
quite so diligent, and some servers still have weak keys in
place.

Some of these are SSL servers, like wot is used to do
e-commerce, an' 
that. The issue here is that, in theory, an attacker could
decrypt the 
traffic and recover your credit card details, since brute
forcing the 
server's private key is that much easier. You could also be
talking to a 
fake server for the same reason, but this doesn't make much
difference 
to the information an attacker can collect.

What I'd like to know is:

1) Do you care?
2) If not, why not?
3) Would you ever bother testing a site's certificate for a
weak key 
before doing business with them?


J.