OpenSSL Fiasco
May 15, 2008
Hey folks,
Here’s my unofficial take on the OpenSSL/Debian mess:
If you do not understand the implications of which kind of keys are threatened then create new keys on a known-patched system(Any and All Fedora/RHEL/CentOS systems are known safe) and replace all of your old ones.
Good.
Update: Just in case someone is misunderstanding what I’m saying here. I’m not bad mouthing debian, I’m not saying that fedora is invulnerable to bugs. I am saying that if you’re worried about whether or not the system you’re running can safely generate a new ssh key you should know that to the best knowledge at this time Fedora/Centos/RHEL are known to be safe for generating new keys with sufficient randomness.
That is all.
May 15, 2008 at 6:43 pm
Oooo… You had to say it. “Any and All Fedora/RHEL/CentOS systems are known safe…”. As a security professional I hate the words “known safe”. I don’t know why, exactly. It has a nasty habit of sending shivers up my spine.
IMO, nothing is known safe. It might have been peer reviewed and deemed safe to use but it just hasn’t been cracked yet. But I agree with your post. And now might be a good time to regenerate any of those old keys you might have laying around, anyway.
May 15, 2008 at 6:43 pm
It’s not fair.
Debian is in trouble, this is not the time to mock.
Btw, this can also append to Fedora/RHEL/CentOS. Who knows.
May 15, 2008 at 6:46 pm
DO NOT TEMPT THE GODS.
May 15, 2008 at 9:07 pm
My guess is that AIX, Solaris, Mac OS X and Windows are probably safe too.
They have other problems though — for example not having yum.
May 16, 2008 at 7:40 am
You probably already seen it, but CentOS had a good description of how this impacts everybody: http://lists.centos.org/pipermail/centos-announce/2008-May/014902.html