chip at force-elite
May 13, 2008, 2:18 PM
Post #1 of 1
(126 views)
Permalink
|
|
Impact of OpenSSL Randomness issues on Debian
|
|
If you are just catching up:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
http://it.slashdot.org/article.pl?sid=08/05/13/1533212
Most of the talk has been about how SSH Servers and Client private keys
are vulnerable.
However, Private x509 Keys generated by a vulnerable machine, and used
by HTTPS are also guessable.
Debian and Ubuntu have made several tools to detect weak key signatures
in OpenSSH and OpenVPN.
1) Shouldn't it be possible to write something that detects the weak
private key fingerprint from the SSL handshake?
2) Should we remind users on announce[at]httpd or another medium, that any
x509 keys generated on an debian or ubuntu server, such as those used
for HTTPS, in the last 2 years, should be re-generated?
Thanks,
-Paul
|
