When private keys are public: results from the 2008 Debian OpenSSL vulnerability

  title={When private keys are public: results from the 2008 Debian OpenSSL vulnerability},
  author={Scott Yilek and E. Rescorla and H. Shacham and Brandon Enright and S. Savage},
  booktitle={IMC '09},
  • Scott Yilek, E. Rescorla, +2 authors S. Savage
  • Published in IMC '09 2009
  • Computer Science
  • We report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems affected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, we collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certificates. We report three primary results. First, as expected from previous work, we find an extremely… CONTINUE READING
    Where did I leave my keys?
    • 1
    • PDF
    The Matter of Heartbleed
    • 448
    • PDF
    Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning
    • 77
    • PDF
    The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching
    • 82
    • Highly Influenced
    • PDF
    A deeper understanding of SSH: Results from Internet-wide scans
    • 15
    • PDF


    Publications referenced by this paper.
    Randomness and the Netscape browser
    • 161
    • Highly Influential
    • PDF
    SSL server security survey
    • 2000
    Security holes
    • 2003