A critical vulnerability in the secure sockets layer library distributed by Debian since 2006 has left all machines running Debian or Debian-derived linux distributions, such as Ubuntu (of which there are quite many, mostly used as servers) with very insecure secure sockets.

For more than two years, Debian machines were proof of the sad fact that many eyes (openssl is open-source, as the name suggests) do not, in fact, make all bugs shallow.

Apparently, the blame is shared between the Debian maintainer of the package and upstream ssl developers – the former introduced a very, very ill-advised patch, while the latter failed to advise this was so. What the patch did was to remove all sources of randomness from the key generation process, except for one – the user ID of the key-generating process – which is, as you’d expect, not so very random, leading to the generation of eminently guessable keys.

The implications are myriad – for one, all those supposedly secure web shops which ran on Debian servers weren’t in fact secure. Even worse, ssh, which depends on libssl and is the Linux administrator’s remote access tool of choice, was also vulnerable – login details to any number of accounts may have been stolen, and none’s the wiser. We’ll never know if the vulnerability was in fact known to anyone prior to it being found and fixed by Debian maintainers – but it’s a safe bet to assume it was, vulnerabilities being the briskly-traded commodities that they are.

No, there is no moral to this story, neither is there a silver lining to the cloud.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.