[vox-tech] Security Alert: Debian OpenSSL flaw affects many systems
Brian Lavender
brian at brie.com
Fri May 16 15:27:28 PDT 2008
On Thu, May 15, 2008 at 05:18:52PM -0500, Ken Bloom wrote:
> On Thu, 2008-05-15 at 14:29 -0700, Jeffrey Nonken wrote:
> > http://www.linux.com/feature/135270
>
> This paragraph is probably wrong:
>
> > Debian and derivative distribution users can use the apt-get upgrade
> > command to replace vulnerable keys on their systems, and Ubuntu users
> > applying the security patches which appeared yesterday will have their
> > weak keys replaced automatically, but as Moore points out, that
> > doesn't solve the problems caused by weak keys being used to sign
> > certificates or copied to other servers.
>
> More detailed information is available at http://wiki.debian.org/SSLkeys
>
> Note that the vulnerability meant that only 2^15 different keys of each
> size were being generated. This is an incredibly small number, and I'm
> sure many hackers have dictionaries of the entire key set now to break
> in to systems with affected authorized_keys files.
I downloaded a dictionary of keys. I haven't tried to run the crack yet.
Hackers build things, crackers break into things.
--
Brian Lavender
http://www.brie.com/brian/
More information about the vox-tech
mailing list