[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)


>  However I wonder, is the pristine behavior correct? As far as I know, it
>  is NOT justified at all to rely on the assumption that uninitialized
>  memory contains random data. I read that many architectures reset it to
>  some magic number, e.g., 0xdeadbeef. Is that correct?
>  If so, and if that was the ONLY entropy source used in generating keys,
>  then upstream openssl is (and has always been) just as broken as the
>  patched Debian package. While if it was only used in addition to other
>  sources, all this is probably a non-issue.

I wonder if there could be some tool that created a big amount of
random keys and statistically check that the system was working
propely. Any chance of a tool like that can exist?


Reply to: