Almost one month ago, Florian Weimer on behalf of the Debian Security Team announced one of the worst security vulnerabilities in recent history. I won’t go into a technical description of the problem itself. But, it’s interesting to note how Debian both succeeded and failed, how this vulnerability broke the “patch to stay secure” model, and how it personally impacted me.
On Debian…
First, Debian is an all volunteer organization that created and maintains the largest integrated body of code. Ever. The Debian “operating system” is far larger than Microsoft Windows or Mac OS X - they can barely be compared. That a security vulnerability could lay in any package undiscovered for years is unsurprising.
But, once discovered, Debian’s security team promptly released an update of the affected packages fixing the flaw. In the same announcement for the update, there was an included link to a page that promised to have instructions on how to actually close the holes. That page wasn’t filled in until over a day later.
Of course, the wiki page had helpful information within 30 minutes.
Are you saying getting the security update didn’t fix my computer?
Yes. The problem wasn’t a matter of fixing the user’s software but fixing their data. The security keys they thought weren’t. The software to make new keys was provided; but, any Debian user that wasn’t subscribed to the right mailing list wouldn’t have known about the further action necessary. (Though, to be fair, the OpenSSH package at least warns about vulnerable keys on update.)
In fact, the average Debian user would be hard pressed to find any mention of the vulnerability. It wasn’t a front page news item. OpenSSL, and all dependent packages, fail to provide any alert on upgrade. Worse, the Certificate Authorities still haven’t revoked certificates for compromised keys. That means the SSL aura of trust has been devalued even more.
It would be an interesting, and expensive, experiment to see how many CAs will EV sign one of the compromised keys.
On me…
Meanwhile, tonight, I finally finished with “key rollover” on all my affected services.
- tara: No services effected. (Too old.)
- steak: No services effected. (Too old.)
- megan: SSH, SMTP / IMAP, XMPP
- resa: SSH
- Personal keys: EECS, wsunix, Planet EECS, tara, megan, nearlyfreespeech
Gosh, I hope I got everything. Each of those only took about five hours apiece.
Of course, some people did make it easier. I already shouted out to the wiki page earlier. But, of everything and everyone who should have been doing their jobs, one group stood out and another one embarrassed itself:
From: “NearlyFreeSpeech.NET Member Support”
Subject: [NearlyFreeSpeech.NET] Potentially weak ssh key detected
Date: Wed, 14 May 2008 12:30:00 -0400Hello
You are being contacted because an ssh key vulnerability in Debian-
derived Linux systems has been detected that may affect you.…
Wow. Thanks!
From: “XMPP CertMaster”
Subject: XMPP SSL Certificate revoked, 09:12 pm 13 Jun 2008
Date: Fri, 13 Jun 2008 21:12:48 +0300This mail is intended for the person who owns a SSL Certificate from the XMPP Intermediate Certification Authority (http://www.xmpp.net).
Your certificate with serial number 890 has been revoked for the following reason(s):
- The holder / owner of the certificate requested revocation.
You can’t blame the XMPP Federation. They don’t actually run a CA, they subcontract. I hope Peter isn’t paying much… as I’d say him having to write a notice of the vulnerability was not his money’s worth.
1 Comment
July 21, 2008 at 4:58 pm
I actually thought pretty much everybody heard about this instantly.
Here’s a funny link about how this actually happened.
Leave a Reply