It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
It is incredible just how big the effects of the newly discovered error in open source key generation is.
A security flaw has been found in some of the basic code used by a wide variety of Linux security programs. The error originated back in May 2006 when workers on the open-source security project committed a grave and unrealized error.
A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library. Why does this matter? The OpenSSL library's key generation and other routines are used by the SSH remote access program, the IPsec Virtual Private Network (VPN), the Apache Web server, secure email clients, programs that offer secure internet portals and more.
Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems. The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years. A patch has been distributed, but that can do nothing to repair the damage that has occurred to compromise systems. Worse yet, it appears that through the installation of compromised keys on other systems, numerous systems not even running the code have likely been compromised.
Debian, the Linux variant used largely by security professionals, and Ubuntu, the variant most commonly used by home users are both affected. Furthermore, Windows servers may be compromised as well if they are using keys generated on Linux systems.