When private keys are public: results from the 2008 Debian OpenSSL vulnerability

  title={When private keys are public: results from the 2008 Debian OpenSSL vulnerability},
  author={Scott Yilek and Eric Rescorla and Hovav Shacham and Brandon Enright and Stefan Savage},
  booktitle={ACM/SIGCOMM Internet Measurement Conference},
We report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems affected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, we collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certificates. We report three primary results. First, as expected from previous work, we find an extremely… 

Weak Keys Remain Widespread in Network Devices

It is found that many vendors appear to have never produced a patch, and observed little to no patching behavior by end users of affected devices.

Where did I leave my keys?

It is found that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable to passive exploitation by an attacker who selects the Dual EC curve point since 2008.

Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices

The largest ever network survey of TLS and SSH servers is performed and evidence that vulnerable keys are surprisingly widespread is presented, including a boot-time entropy hole in the Linux random number generator.

The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI

It is shown that erroneously setting revocation dates causes signed malware to remain valid even after the certificate has been revoked, and failures in disseminating the revocations are reported, leading clients to continue trusting the revoked certificates.

The Matter of Heartbleed

A comprehensive, measurement-based analysis of the Heartbleed vulnerability's impact, including tracking the vulnerable population, monitoring patching behavior over time, assessing the impact on the HTTPS certificate ecosystem, and exposing real attacks that attempted to exploit the bug is performed.

Mission accomplished?: HTTPS security after diginotar

It is found that while deployment of new security features has picked up in general, only SCSV and CT have gained enough momentum to improve the overall security of HTTPS.

Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning

The first in-depth empirical study of two important new web security features: strict transport security (HSTS) and public-key pinning is conducted, finding evidence that many developers do not completely understand these features, with a substantial portion using them in invalid or illogical ways.

When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography

This work investigates a new way in which RNGs fail due to reuse of virtual machine (VM) snapshots, and develops a backwards-compatible framework for hedging routine cryptographic operations against bad randomness, thereby mitigating the damage due to randomness failures.

The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching

This first systematic study of patch deployment in client-side vulnerabilities from 10 popular client applications is presented, and several new threats presented by multiple installations of the same program and by shared libraries distributed with several applications are identified.

A deeper understanding of SSH: Results from Internet-wide scans

The results of Internet-wide SSH scans that are of a sensitive nature are presented, which resulted in the largest data set to date, and the deployment of ciphers and associated key lengths are analysed and found good results in terms of security.



Security Holes . . . Who Cares?

  • E. Rescorla
  • Computer Science
    USENIX Security Symposium
  • 2003
An observational study of user response following the OpenSSL remote buffer overflows of July 2002 and the worm that exploited it in September 2002 finds that administrators are generally very slow to apply the fixes.

Cryptographic strength of ssl/tls servers: current and recent practices

The cryptographic strength of public servers running SSL/TLS is characterized and encouraging behavior such as sensible default choices by servers when presented with multiple options, the quick adoption of AES, and the use of strong RSA key sizes of 1024 bits and above are observed.

Randomness and the Netscape browser

By encrypting payment information before transmitting it, a customer can ensure that no one except the company from which he is purchasing can decode that sensitive data.

The Secure Shell (SSH) Protocol Architecture

This document describes the architecture of the SSH protocol, as well as the notation and terminology used in SSH protocol documents, and discusses the SSH algorithm naming system that allows local extensions.

A Security Architecture for the Internet Protocol

The design, rationale, and implementation of a security architecture for protecting the secrecy and integrity of Internet traffic at the Internet Protocol (IP) layer, which includes a modular key management protocol, called MKMP, is presented.

Modern Applied Statistics With S

The modern applied statistics with s is universally compatible with any devices to read, and is available in the digital library an online access to it is set as public so you can download it instantly.

Security Architecture for the Internet Protocol

This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer. This document obsoletes RFC 2401

Sweave: Dynamic Generation of Statistical Reports Using Literate Data Analysis

Sweave combines typesetting with LATEX and data anlysis with S into integrated statistical documents that can be automatically updated if data or analysis change, which allows truly reproducible research.

Survival Analysis: A Self-Learning Text

A Cox Proportional Hazards Model extension for Time-Dependent Variables and Parametric Survival Models for Recurrent Events Survival Analysis and Competing Risks Survival Analysis is presented.

Exploiting DSA-1571: How to break PFS in SSL with EDH

  • Exploiting DSA-1571: How to break PFS in SSL with EDH
  • 2008