[Klug-general] SSL bug
George Prowse
cokehabit at gmail.com
Thu May 22 12:03:05 BST 2008
Andrew Miller (Spode) wrote:
> I'm running Ubuntu Server 8.04 and I did an update as soon as I heard
> about the fix. It *automatically* regenerated new keys for me. I just
> had to remove my server from my known_hosts file in order to login.
>
> Sure, it's a big issue - but did anyone actually exploit it? To be
> patched up before anyone has actually exploited it is pretty good.
> Microsoft vuln. are discovered and known for ages before repaired.
>
> But, I have to admit, (play devils advocate), it would certainly shake
> my confidence as an outsider...
>
> Spode
I dont think you understand the scope of it, it isn't just a few users
signing in and out, some people will have 5000 keys generated on each
server each one signing everything from emails to logging in remotely.
On top of that, EVERY KEY that has been generated on a debian based
machine in the past 20 months is affected because the flaw is in their
random number generator. Now add having to send all the new keys to
verisign et al and you have a major cleanup operation.
It was annoying enough for me signing in via ssh from an OSX box, then
stopping to delete my cert keys and then having to do it again, imagine
having to get people to do that half way across the world.
Read these:
http://www.regdeveloper.co.uk/2008/05/21/massive_debian_openssl_hangover/
http://metasploit.com/users/hdm/tools/debian-openssl/
More information about the Kent
mailing list