Technology

It was announced yesterday that sometime back in September 2006 a line of code was removed from the Debian distributed OpenSSL package. That one line of code was responsible for causing an uninitialized data warning in Valgrind. It also seeded the random number generator used by OpenSSL. Without it, the error went away, but the keyspace used by affected systems went from 2^1024 to about 2^15. Oh noes!

A large majority of Debian and Ubuntu systems are affected. To correct the problem, you’ll need to not only update OpenSSL, but also revoke and replace any cryptographic keys and certificates that were generated on the affected systems. From the Debian security advisory:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though.

For most people, this boils down to your ssh server’s host key and any public key pairs used for remote ssh authentication. Any keys or certificates generated on the affected machines for SSL/https use also need to be revoked and regenerated. It’s pretty ugly, really.

As far as teachable moments go, there’s probably a lot to think about here. Software developers have this weird natural tendency to want to fix and reengineer things that aren’t even broken. I’d go so far as to say that the desire to reengineer is inversely proportional to a programmer’s familiarity and understanding of the code. I think it comes from our intense desire to make sense of things. It’s the guru who’s able to channel that hacker urge into solving new problems instead of creating new bugs out of old solutions.

DSA-1571-1 openssl — predictable random number generator
OpenSSL PRNG Debian Toys (more discussion of the problem here)

2 thoughts on “Debian/Ubuntu users: update your SSL keys and certs

  1. The other risk is, they’ll put that firmware update on to the new game disks, and so wipe a lot of machines like that. The way to stop them doing that? Hack your machine and download pirated games. Oh, the Irony!

    Nintendo are forcing people who want to do cool stuff with their hardware into using pirate games, so you don’t get hacked by Nintendo, the hardware maker/seller!!

    The issue is, why are they bothering to annoy those who support their hardware the most?
    It is backwards.

Comments are closed.

Tagged