When Private Keys Are Public: Results From the 2008 Debian OpenSSL Vulnerability

Date Added: Nov 2009
Format: PDF

The authors report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems affected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, they collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certificates. They report three primary results. First, as expected from previous work, they find an extremely slow rate of fixing, with 30% of the hosts vulnerable when they began the survey on day 4 after disclosure still vulnerable almost six months later.