The Recycle Bin

A repository of comments, code, and opinions.

Serious flaw in OpenSSL on Debian-based Linux

leave a comment »


[SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

OK, this is kind of a big deal.  It turns out that there is a serious flaw in the OpenSSL packages used on Debian-based Linux distributions, which includes Ubuntu, Xandros, and many others.  The problem appears to be that the random number generator is giving predictable, rather un-random results.

From the bulletin:

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.

Debian Linux runs many of the websites out there, and a lot of them rely on cryptographic keys for SSL.  Replacing these keys (getting them re-signed by a Certificate Authority) will surely be a long and expensive process.

Here’s another gem from the bulletin:

OpenSSL’s DTLS (Datagram TLS, basically “SSL over UDP”) implementation did not actually implement the DTLS specification, but a potentially much weaker protocol, and contained a vulnerability permitting arbitrary code execution (CVE-2007-4995).

These bugs beg the question, why is the Debian team making changes to OpenSSL?  Cryptography is hard, and the OpenSSL team has one of the most accurate and respected libraries to date.   They should stick to what they’re good at, like package management, and leave cryptography to the people who know what they’re doing.  As it stands, I’m not sure if I can trust any SSL connection anymore…


Written by Nathan

May 13, 2008 at 6:38 pm

Posted in Cryptography, Linux, Security

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: