Real Software Forums

The forum for Real Studio and other Real Software products.
[ REAL Software Website | Board Index ]
It is currently Thu Apr 02, 2020 1:59 pm

All times are UTC - 5 hours

Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: eMail I received from Thawte.
PostPosted: Wed May 21, 2008 5:25 am 

Joined: Sun Dec 23, 2007 10:19 am
Posts: 255
I thought people may be interested in this - It is a genuine email I received from Thawte (The SSL and code signing people). Basically it's saying that any sites, downloads or applications that have SSH and SSL digital certificates generated on a debian computer are not secure.

Dear Ian,

We are writing to inform you of a recent exposed security flaw with certain versions of Linux so you may
take immediate action and protect your site and your customers against any vulnerability. If you are not
using Debian or one of its derivatives there is nothing you need to do.

For customers who used a Debian OS (or its derivatives) to generate a key pair used to request a
certificate, that key pair (and the corresponding certificate) is vulnerable. This is due to a flaw in the
Debian-specific random number generation that results in relatively predictable key pair values, making
them highly exploitable.

thawte's trusted root and intermediate roots were not impacted by this incident.

If you are running Debian operating systems and derivatives (such as Ubuntu) released between
September 17, 2006 and May 12, 2008 you should deploy a recently replaced Debian patch and revoke
and replace all SSL and code signing certificates for which keys were created on these operating
systems. Debian has released a testing tool to confirm whether your certificates are affected. This tool
and other useful information can be found here: ... 00152.html

For additional information, please visit our support site at ... nt&id=AD94


Chris Babel
Senior Vice President, SSL

Reply with quote  
 Post subject: Re: eMail I received from Thawte.
PostPosted: Thu May 22, 2008 10:47 pm 

Joined: Sat Oct 01, 2005 12:18 pm
Posts: 1358
The issue was with how debian distros generated the SSH/SSL keys in their random number generator. It turned out that someone changed how the seeds where generated, and it made it so that keys could be guessed. They became predictable. Made it so that if you used a secure key on an affected debian box, the key could have been compromised. This issue isn't specific to code signing or what not, but effects *all* SSH/SSL keys that could have touched a compromised system.


Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group