Linux Today: Linux News On Internet Time.

Vendors Are Bad For Security

May 13, 2008, 18:00 (4 Talkback[s])
(Other stories by Ben Laurie)

"I've ranted about this at length before, I'm sure--even in print, in O'Reilly's Open Sources 2. But now Debian have proved me right (again) beyond my wildest expectations. Two years ago, they 'fixed' a 'problem' in OpenSSL reported by valgrind by removing any possibility of adding any entropy to OpenSSL's pool of randomness.

"The result of this is that for the last two years (from Debian's 'Etch' release until now), anyone doing pretty much any crypto on Debian (and hence Ubuntu) has been using easily guessable keys. This includes SSH keys, SSL keys and OpenVPN keys..."

Complete Story

Related Stories: