Rojo

select Painful Debian / Ubuntu SSL bug

+ 0

• Tim Anderson's ITWriting (+subscribe)
• By tim
• 5/14/2008 04:47 AM

expand close

Summary: A bug in the Debian-modified version of OpenSSL (also used by Ubuntu) means that cryptographic keys generated on Debian systems for the last couple of years may be insecure. Instead of being well randomized, they are easily guessable. More...  Click to expand...

A bug in the Debian-modified version of OpenSSL (also used by Ubuntu) means that cryptographic keys generated on Debian systems for the last couple of years may be insecure. Instead of being well randomized, they are easily guessable.

More information about the vulnerability is here; how to fix it here.

How much does this matter? The full scope has not emerged yet; but as I understand it, it affects self-generated keys. Those who purchased certificates from a third-party certificate authority are not affected, unless one of those authorities turns out to have been using the broken version which is unlikely. Even if you purchased certificates from a third-party certificate authority, you would still be affected if you generated the certificate request on a system with the broken OpenSSL library (thanks to Nico for the correction below).

This means that a large number of supposedly secure SSH connections or SSL connections to web sites and servers over the last couple of years were actually not very secure at all.

If nothing else, it shows how easy it is to be falsely reassured, to think you are secure when you are not.

It also shows the risks of modifying security code. The problem is not with OpenSSL, but with changes made by a Debian coder who thought he was fixing something when in fact he was breaking it.

This site runs on Debian and I’ve spent some time today checking it for vulnerability and regenerating keys.

Technorati tags: debian, security, ssl, ubuntu

 

All Mojo'rs for Painful Debian / Ubuntu SSL bug

• 

• Flag
• Email
• Rojolink
• 

close