LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

After Debian's epic SSL blunder, a world of hurt for security pros (Register)

[Posted May 22, 2008 by corbet]

Here's an article in The Register on the aftermath of the Debian openssl vulnerability. "Among the weak SSL certificates at time of publication is this one belonging to Whitehouse.gov. It's of little consequence, since the site doesn't conduct secure transactions, but it does show the ubiquity of the problem. The key is owned by content delivery provider Akamai Technologies and is used by about 20,000 websites. Akamai is in the process of replacing it."
(Log in to post comments)

After Debian's epic SSL blunder, a world of hurt for security pros (Register)

Posted May 23, 2008 14:30 UTC (Fri) by kjhambrick (subscriber, #23704) [Link] 

Was Ubuntu affected by the bug ?

After Debian's epic SSL blunder, a world of hurt for security pros (Register)

Posted May 23, 2008 14:54 UTC (Fri) by rfunk (subscriber, #4054) [Link]

Yes.

After Debian's epic SSL blunder, a world of hurt for security pros (Register)

Posted May 23, 2008 21:38 UTC (Fri) by bronson (subscriber, #4806) [Link] 

I replaced all SSH and SSL keys the day the story broke but I keep finding more weak keys in
weird places, probably about one every two days.  TLS for imap & SMTP, random LDAP stuff, etc.
And I only administer a few tens of machines!  I can't imagine what this has been like for the
guys maintaining 50+ public servers.

Personally, I've spent around 10 hours on this...  If it's added up worldwide and given a
reasonable hourly rate, the total cost of this one-line bug is going to be staggering.  And
that's assuming that everything can be fixed before some black hat uses it to transfer a few
mil to Bermuda.

Looking forward, has Debian released any statements about trying to reduce all the dpatching
they do?  I've complained about it in the past but never let it actually affect what I distro
I actually deploy.  Now, I must admit, Slack, Arch, the BSDs, and other mostly-upstream
distros are looking a lot more attractive!

After Debian's epic SSL blunder, a world of hurt for security pros (Register)

Posted May 23, 2008 21:47 UTC (Fri) by bronson (subscriber, #4806) [Link] 

Ask about Debian policies and ye shall receive: http://lwn.net/Articles/283030/

(that's what I get for reading stories in reverse chronological order!)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds