OpenSSL Fiasco

May 15, 2008

Hey folks,

Here’s my unofficial take on the OpenSSL/Debian mess:

If you do not understand the implications of which kind of keys are threatened then create new keys on a known-patched system(Any and All Fedora/RHEL/CentOS systems are known safe) and replace all of your old ones.


Update: Just in case someone is misunderstanding what I’m saying here. I’m not bad mouthing debian, I’m not saying that fedora is invulnerable to bugs. I am saying that if you’re worried about whether or not the system you’re running can safely generate a new ssh key you should know that to the best knowledge at this time Fedora/Centos/RHEL are known to be safe for generating new keys with sufficient randomness.

That is all.


5 Responses to “OpenSSL Fiasco”

  1. Sparks Says:

    Oooo… You had to say it. “Any and All Fedora/RHEL/CentOS systems are known safe…”. As a security professional I hate the words “known safe”. I don’t know why, exactly. It has a nasty habit of sending shivers up my spine.

    IMO, nothing is known safe. It might have been peer reviewed and deemed safe to use but it just hasn’t been cracked yet. But I agree with your post. And now might be a good time to regenerate any of those old keys you might have laying around, anyway.

  2. Me Says:

    It’s not fair.
    Debian is in trouble, this is not the time to mock.

    Btw, this can also append to Fedora/RHEL/CentOS. Who knows.

  3. Greg DeK Says:


  4. Christof Says:

    My guess is that AIX, Solaris, Mac OS X and Windows are probably safe too.

    They have other problems though — for example not having yum.

  5. You probably already seen it, but CentOS had a good description of how this impacts everybody:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: