DEBIAN

For more than two years, Debian machines were proof of the sad fact that many eyes (openssl is open-source, as the name suggests) do not, in fact, make all bugs shallow.

Apparently, the blame is shared between the Debian maintainer of the package and upstream ssl developers – the former introduced a very, very ill-advised patch, while the latter failed to advise this was so. What the patch did was to remove all sources of randomness from the key generation process, except for one – the user ID of the key-generating process – which is, as you’d expect, not so very random, leading to the generation of eminently guessable keys.

The implications are myriad – for one, all those supposedly secure web shops which ran on Debian servers weren’t in fact secure. Even worse, ssh, which depends on libssl and is the Linux administrator’s remote access tool of choice, was also vulnerable – login details to any number of accounts may have been stolen, and none’s the wiser. We’ll never know if the vulnerability was in fact known to anyone prior to it being found and fixed by Debian maintainers – but it’s a safe bet to assume it was, vulnerabilities being the briskly-traded commodities that they are.

No, there is no moral to this story, neither is there a silver lining to the cloud.