ubuntu.com — As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.
May 13, 2008 View in Crawl 4
mccordMay 13, 2008Submitter
more detailed info can be found on: <a class="user" href="http://lists.debian.org/debian-security-announce/2008/msg00152.html">http://lists.debian.org/debian-security-announce/2 ...</a>
fknightMay 13, 2008
This is so getting buried. Watch.
smoothmonikerMay 13, 2008
Digg it up! This is important, and something diggers should be aware of.
electricketchupMay 13, 2008
I always thought that OpenSSL only used /dev/random for entropy and didn't use a prng (as long as /dev/random existed on the platform). Was I wrong? Does OpenSSL really use a prng and if so, why? I don't mind generating entropy with hardware interrupts while wiggling my mouse around to create a more secure private key.
smoothmonikerMay 14, 2008
the update fixed the problem with openssh, but the update doesn't replace your public keys - after you update, you have to do that manually. Thus the digg.If users don't manually regenerate their keys, they're still vulnerable to attack, even after the update.