LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Impact of the Debian OpenSSL vulnerability

Impact of the Debian OpenSSL vulnerability

Posted May 16, 2008 21:08 UTC (Fri) by bronson (subscriber, #4806)
In reply to: Impact of the Debian OpenSSL vulnerability by johnkarp
Parent article: Impact of the Debian OpenSSL vulnerability 

A PID offers so little additional entropy that it's basically worthless.  Still, it can't hurt
to include it, right?

Dunno about thiat...  If the PID weren't mixed into the randomness, this vulnerability would
have been found within days if nothours.  The slight additional complexity of mixing the PID
in managed to hide a massive security problem for two years.

So, if /dev/random is good enough, perhaps mixing in a tiny amount more entropy ends up being
more harmful than helpful.  It seems to have been in this case.

(Log in to post comments)

Impact of the Debian OpenSSL vulnerability

Posted May 17, 2008 15:18 UTC (Sat) by ikm (subscriber, #493) [Link] 

I'd say just not mess with the others' sources lightly. Some people like to come and say — oh
here, what the hell is this? Let's just cut it out! A story about a girl who tried to treat
her hamster for a "pimple" he had spurs to my mind.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds