Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
On Thu May 15 2008 06:20:10 Thijs Kinkhorst wrote:
> You mean less likely than once in 15 years? We're open to your suggestions.
Leaving millions of systems open to crackers for 2 years out of 15
is not a joke. I don't blame the DD - we have all made mistakes
and most of us are lucky they weren't this serious - but we should
blame the process. And fix it.
The notification process, with the fix in the archive long before
users were notified, failed to live up to Debian's usually high
standards. The delay in getting some of the fixes into Testing
may also be an issue.
The rollout of information and updates was appalling - even adding in
the material from Ubuntu the information was piecemeal and inadequate
to properly secure systems within the limited time before crackers
might be expected to have exploits.
The vulnerability scanner didn't handle keys in many forms (e.g.
Apache keys) and gave false negatives because it doesn't use
~/.ssh/config to check the correct port in the common case where
ssh is running on a port other than 22. In the wonderful light
of hindsight, it would probably have been better to devote less
effort to the scanner and more effort to documenting all the
kinds of key replacements that are needed, and to simply assume
that all keys are potentially compromised.
Serious efforts are needed on two fronts. Second, we must ensure
that nothing like this ever happens again. This calls for a thorough
investigation and carefully updated policies and procedures. It will
take a while to do properly. It must be apparent to both the Debian
community and the world that the effort is authoritative, sincere,
But first we must carefully avoid any communication, however intended,
which might be construed as a flippant attitude to this disaster.