Skip to main content

The Debian OpenSSL Fiasco.

Posted in

On May 13th, Debian announced that there is a bug in the way SSH RSA/1024 and DSA/2048 were generated, the actual probelm was that the keys were not random enough, given time and resources you can generate enough keys to use in a brute force attack. Aside from the obvious, I have my own thoughts on the matter.

First, I was mad, really mad. How can Debian miss such a glaring hole? And then I read the description of what actually happened - I won't go in detail here, you can find it online - and guess what, I got even MORE mad. This was beyond a simple mistake, this was bad management.

1. How come Debian does not have someone who actually know SSL packaging that thing?
2. How come the OpenSSL developers made such bad assumptions? Why did they not follow up?
3. If the problem is caused because of trying to get rid of error messages in the debugger, how did other distributions solve this?

Then I calmed down and starting patching, luckily, I don't have that many certificates or keys generated on Debian, 6 hours later I was all done.

During the dist-upgrade process, I noticed something curious though. I was getting a couple of extra packages called openss?-blacklist*. Hmm, what is that?

Turns out, the Debian maintainers went the extra mile or ten, they actually made a list of all fingerprints of bad keys, modified the SSH daemon to NOT accept those keys for authentication. Bravo.

Now I'm wondering if other distributions did this. Or other Unix vendors, and what about other implementiations of SSH? Oh man what a screw up. The cleanup cost is going to be enourmous. But I do hope that the blacklist/ssh-vulnkey thing becomes a standard. Actually it solved a problem of mine: when an employee left and I have to manually delete all his keys from every authorized_keys files, instead I just create a blacklist file, put all the fingerprints in them and propagate the file to my server. Two birds with one stone.

Aside from the security implications of this bug, I started wondering about the social implications: how would other vendors, other distributions, and Debian/Ubuntu/Mint..etc users will take this.

I think the Ubuntu users will be the most affected, that is because Ubuntu is geared more towards the home user who is not as concious of security as someone who says a little prayer to Dennis Richie everytime he su'es, aka sysadmin/root/god.

Some people are complaining that Debian's quality has been degrading, I don't think so, I think Debian now is even a better platform to build upon. Debian never sold itself as an enterprise platform, it was and still is a hacker's playground. People mention the lack of an enterprise or company to complain to when things break, they complain that the releases are never on time, they complain that Debian maintainers worry over silly little things like the Firefox name/logo, they complain about lack of proprietery codes, they complain and complain. Guess what, Debian is not meant for all this, if you want a support contract, go to RedHat, or Novell, or IBM, or a thousand other vendors out there. Debian is trying very hard - and succeeding I might say - to stay true to the Free Software concept (RMS disagrees of course :)).

My faith in Debian was shaken a little bit, but the maintainers more than made up for it with the ssh-vulnkey patch, I hope it propagates upstream. And I hope Debian finds someone with more SSL knowledge to package this thing :)