Two years of compromised Linux security exposed
By Davey Winder in Editorial
Posted in Blog, Linux, Security, Internet, e-commerce on
A recently revealed vulnerability with Debian OpenSSL cryptographic libraries, covered in detail within the Debian Security Advisory DSA-1571-1, allows secure web sessions to be potentially decrypted by an attacker. In fact, the vulnerability impacts on Debian children distros as well, but that is almost by the by. What isn’t is the reasoning for the vulnerability to exist in the first place. Now you might be assuming that, like most of these things, a bit of unintentionally sloppy and insecure programming during development was to blame. While the words sloppy and insecure certainly still spring to mind, unintentional most certainly does not.
You see, according to an excellent piece of analysis at Dark Reading it appears that the programmer was “using Valgrind to debug applications in an effort to prevent security flaws. But two lines of code from the OpenSSL libraries caused Valgrind to complain, which prompted the programmer to take them out after an inquiry and short discussion on the OpenSSL development mailing list.” Amazing as it may seem, this simple act resulted in “two years’ worth of weakened cryptographic key creation (both SSH keys sand SSL certificates) on Debian-based systems.”
In effect, the work-around meant that every single one of the 32,767 cryptographic keys could now be generated ahead of time and that means a brute force attack becomes, pretty much, child’s play.
In his Dark Reading analysis, John Sawyer claims that this means “All communications that had been perceived as “secure” for the past two years — and into the unforeseeable future — could now be compromised if their encryption was based on the flawed keys and certificates.”
Sure, the developers concerned were only trying to make something more secure, and there was certainly no malicious intent involved here. But the irony is that it proves Linux can be just as insecure as Windows in some regards, perhaps even more so. More so, why so? Well, the perception is that Linux is secure, period. Working from that basis, users are perhaps more inclined to think less about the security and privacy implications of their online sessions. In the case of Debian users that could have devastating implications.
And the moral of this tale? Be it Linux or Windows, the user should always treat security seriously and never expect the OS to be a virtual fortress…
Rated: 100% (1 votes)
Loading ...Comment by Richard Chapman - May 26, 2008 on 4:32 pm
It’s been a long tough road for the advocates of Microsoft’s monolithic operating system and its less than stellar record on security. They have suffered greatly under the taunts and ridicule of the Open source advocates. Their only comeback was the absurdly simplistic logic that popularity equates to vulnerability.
“Now, finally a chink in the (we can now say) supposedly impenetrable Linux security. Ha Ha Linux. We knew the whole time you had security troubles just like the rest of us. From now on if anyone tries to say we’re insecure we’ll throw this report right in their face. Yes, time after time, no matter often there’s a question of Windows security we can show the world that Linux isn’t secure either. See? A flaw was found in May 2008.”
Two questions: How long did it take for a fix to be posted? At what point does this become old news?
Comment by diffid - June 3, 2008 on 8:39 am
Only noobs build secure systems from Linux Distos repositories, experienced and professionals build their own distro and compile their libraries especially security related ones from the horses mouth, the creators themselves not the package managers. yet again people who simply do not understand what ‘Linux’ is tar it all with the same brush, you can do that with windows as you do not have the same level of control as with Linux, but there will be hundreds of mission critical ‘Linux’ systems out their that won’t entertain the idea of a package manager messing with the sources.
Once and for all Linux is not like Windows it can be honed down to the last nut and bolt to suit the application it is required for.
Poor reporting and naive ignorance of what ‘Linux’ is.
Comment by Davey Winder - June 4, 2008 on 11:08 am
>How long did it take for a fix to be posted?
Two years by the look of it… There is a big difference between time to fix after disclosure and time to fix after distribution. Two years is two years, that’s a pretty big window of opportunity.
>Only noobs build secure systems from Linux Distos repositories
Thank goodness ‘noobs’ don’t use Linux then, otherwise they might find themselves in all sorts of trouble.
Make a comment
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
Most commented posts
- Cuil frozen out: market share drops to next to nothing
20 comments
- Windows XP: the invincible OS
- Gatecrashing the WiFi hotspot party
- The 24 year old software that is still going strong
- Home workers are sick
- Big Brother Apple
- Spear phishing Catch 22 for Salesforce.com
- Dumbest phisher in history revealed
- Is BT misleading consumers with Option 2 broadband?
- Why ecommerce fails
Highest Rated Blog Posts
- Why ecommerce fails (100%)
- Betting on Hubdub technology (100%)
- Chinese whispers as government implicated in UK hack attacks (100%)
- Crimeware toolkit targets 10,000 trusted sites (100%)
- Black Hat risk to migrating VMs (100%)
- Tough on cyber crime, tough on the causes of cyber crime (100%)
- Firefox 3, Beta 4, Enhancements 900, Tested 5 (100%)
- Slowly slowly catchee Government IT monkey (100%)
- Who needs another set of web standards? (100%)
- The 6.5 billion quid hello (100%)