Sciweavers

IMC
2009
ACM

When private keys are public: results from the 2008 Debian OpenSSL vulnerability

14 years 7 months ago
When private keys are public: results from the 2008 Debian OpenSSL vulnerability
We report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems affected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, we collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certificates. We report three primary results. First, as expected from previous work, we find an extremely slow rate of fixing, with 30% of the hosts vulnerable when we began our survey on day 4 after disclosure still vulnerable almost six months later. However, unlike conventional vulnerabilities, which typically show a short, fast fixing phase, we observe a much flatter curve with fixing extending six months after the announcement. Second, we identify some predictive factors for the rate of upgrading. Third, we find that certificate authorities continued to issue certificates to servers ...
Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon
Added 28 May 2010
Updated 28 May 2010
Type Conference
Year 2009
Where IMC
Authors Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, Stefan Savage
Comments (0)