When private keys are public: results from the 2008 Debian OpenSSL vulnerability

When private keys are public: results from the 2008 Debian OpenSSL vulnerability When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability Scott Yilek UC San Diego Eric Rescorla RTFM, Inc. Hovav Shacham UC San Diego ekr@rtfm.com syilek@cs.ucsd.edu hovav@cs.ucsd.edu Brandon Enright Stefan Savage UC San Diego UC San Diego bmenrigh@ucsd.edu ABSTRACT We report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems a €ected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, we collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certi cates. We report three primary results. First, as expected from previous work, we nd an extremely slow rate of xing, with 30% of the hosts vulnerable when we began our survey on day 4 after disclosure still vulnerable almost six months later. However, unlike conventional vulnerabilities, which typically show a short, fast xing phase, we observe a much ‚atter curve with xing extending six months after the announcement. Second, we identify some predictive factors for the rate of upgrading. Third, we nd that certi cate authorities continued to issue certi cates to servers with weak keys http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png

When private keys are public: results from the 2008 Debian OpenSSL vulnerability

Loading next page...
 
/lp/acm/when-private-keys-are-public-results-from-the-2008-debian-openssl-5UeZYWxdQ5
Datasource
acm
Copyright
Copyright © 2009 by ACM Inc.
ISBN
978-1-60558-771-4
D.O.I.
10.1145/1644893.1644896
Publisher site
See Article on Publisher Site

Abstract

When Private Keys are Public: Results from the 2008 Debian OpenSSL Vulnerability Scott Yilek UC San Diego Eric Rescorla RTFM, Inc. Hovav Shacham UC San Diego ekr@rtfm.com syilek@cs.ucsd.edu hovav@cs.ucsd.edu Brandon Enright Stefan Savage UC San Diego UC San Diego bmenrigh@ucsd.edu ABSTRACT We report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems a €ected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, we collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certi cates. We report three primary results. First, as expected from previous work, we nd an extremely slow rate of xing, with 30% of the hosts vulnerable when we began our survey on day 4 after disclosure still vulnerable almost six months later. However, unlike conventional vulnerabilities, which typically show a short, fast xing phase, we observe a much ‚atter curve with xing extending six months after the announcement. Second, we identify some predictive factors for the rate of upgrading. Third, we nd that certi cate authorities continued to issue certi cates to servers with weak keys

There are no references for this article.

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create folders to
organize your research

Export folders, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off