https://bugzilla.novell.com/show_bug.cgi?id=393186 Summary: Detecting weak keys following the Debian OpenSSL desaster Product: openSUSE 10.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: bugreports@tittel.net QAContact: qa@suse.de CC: benji@opensuse.org Found By: --- As probably nobody has missed, Debian got struck by a bug in their OpenSSL package, that lead to the generation of incredibly weak keys for SSH, SSL, OpenVPN etc.: http://www.debian.org/security/2008/dsa-1571 http://wiki.debian.org/SSLkeys As a consequence, a lot of weak SSL, SSH and OpenVPN keys are out there in the wild, which also poses a problem for users of openSUSE and SLED/SLES: 1) Weak SSL keys/certificates and SSH host keys created on Debian systems could be in use on SUSE systems and thus making encryption/authentication ineffective without the user noticing it (do you remember where and when you created every one of your SSH/SSL keys?). 2) SSH users of a SUSE system could have uploaded weak SSH public keys to their ~/.ssh/authorized_keys file, which poses a direct threat of unauthorized access to the SUSE machine. 3) Users of a SUSE system will connect to SSL-protected websites, mail servers etc., which use weak keys and not realize that their connection is not securely encrypted and also not secured from man-in-the-middle attacks. 4) Similar problems exist for other servies such as OpenVPN. The detection of weak keys is (to a certain degree) possible by comparing a public key with a list of known weak keys. See http://wiki.debian.org/SSLkeys#head-f2bdd99a686b944264c7ecd66a8361d64c15a656 and http://wiki.debian.org/SSLkeys#head-45e521140d6b8f2a0f96a115a5fc616c4f1baf0b. Debian already took some action to make at least OpenSSH complain if it hits known weak keys and provided tools to check the system for known weak keys. Of course it would be optimal if every software dealing with potentially affected keys would check if keys are weak, but that might not be practically feasible. However, some action should be taken for SUSE to at least prevent the worst and make SUSE users aware of that problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.