| |||||||||||||
|
| |||||||||||||
Impact of the Debian OpenSSL vulnerabilityImpact of the Debian OpenSSL vulnerabilityPosted May 16, 2008 19:58 UTC (Fri) by johnkarp (guest, #39285)In reply to: Impact of the Debian OpenSSL vulnerability by welinder Parent article: Impact of the Debian OpenSSL vulnerability
My impression is that there is rarely any single good source of entropy, so it must be scrounged up from as many minor sources as possible... hardware interrupt timings, mouse movements, etc. The PID probably only adds a bit or two, but every bit helps.
(Log in to post comments)
Impact of the Debian OpenSSL vulnerability Posted May 16, 2008 21:08 UTC (Fri) by bronson (subscriber, #4806) [Link] A PID offers so little additional entropy that it's basically worthless. Still, it can't hurt to include it, right? Dunno about thiat... If the PID weren't mixed into the randomness, this vulnerability would have been found within days if nothours. The slight additional complexity of mixing the PID in managed to hide a massive security problem for two years. So, if /dev/random is good enough, perhaps mixing in a tiny amount more entropy ends up being more harmful than helpful. It seems to have been in this case.
Impact of the Debian OpenSSL vulnerability Posted May 17, 2008 15:18 UTC (Sat) by ikm (subscriber, #493) [Link] I'd say just not mess with the others' sources lightly. Some people like to come and say oh here, what the hell is this? Let's just cut it out! A story about a girl who tried to treat her hamster for a "pimple" he had spurs to my mind.
|
|
||||||||||||