On Debian OpenSSL problem DSA-1571-1

It is sad what happened to Debian OpenSSL leaving all keys weak (DSA-1571-1 openssl -- predictable random number generator) (Slashdot | Debian Bug Leaves Private SSL/SSH Keys Guessable).

When I started using Valgrind long time ago and Valgrind warning about it, I knew something like this could happen.

To detect weak keys, all the keys to take advantage of this problem are already available: Debian OpenSSL Predictable PRNG Toys.

Open source software is getting lots of momentum and it needs software changes reviewing to prevent this kind of things happening. The Linux kernel has mostly good reviewing by having each patch needing review from at least two developers, one of the module maintainers and a core Linux developer (Introduction to Linux kernel development process).

No comments: