Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
On Tue, May 27, 2008 at 01:45:25AM +0200, Klaus Ethgen wrote:
> Am Di den 27. Mai 2008 um 1:09 schrieb Colin Watson:
> > On Thu, May 15, 2008 at 09:15:57AM -0700, Mike Bird wrote:
> > > The rollout of information and updates was appalling - even adding in
> > > the material from Ubuntu the information was piecemeal and inadequate
> > > to properly secure systems within the limited time before crackers
> > > might be expected to have exploits.
> > I think part of the problem here was that the coordinated release date
> > for the advisory was simply too soon after the relevant parties were
> > notified.
> Ehem, is it your idea of security to make it secret (like Microsoft do
Well done; a straw man combined with an implication of an ad hominem.
That always really impresses me.
> It is never ever a good idea to make security issues secret or
> protracting it.
> And in this special case it was easy to fix the problem very fast when
> the advisory cames out.
Let's say you'd been asleep at the time, and the advisory had laid out
everything necessary to make it trivial to produce an exploit (it could
easily have been much more explicit than it was, and even with limited
information it only took a day and a half to produce an exploit; a
couple of hours would not at all have been out of the question). Would
you still feel the same way if your accounts had been compromised?
If we had released any sooner, the OpenSSH blacklisting support would
not have been available, and every system administrator would have had
to figure out what was going on by hand rather than have the upgrade
automatically deny attempts to exploit this vulnerability. If we had
released later, a number of flaws in the blacklisting support could have
been fixed, alleviating a great deal of confusion among system
administrators (I spent considerable time that week supporting people
confused by the new tools), and I doubt it would have made much if any
difference to exploit production.
> > but I think an extra day or two on the embargo period would very
> > likely have produced a better result.
> It is never a good idea to set a embargo period for a security issue.
> This is more valid for the scope of this big security problem!
If it had been released without an embargo, many more systems would have
been compromised, and (given the severity) it's entirely possible that
somebody would have managed to write a worm that took advantage of this
to seriously damage Internet infrastructure. It's as simple as that. We
used the embargo period to develop tools to help system administrators
defend themselves, not to sit in a smoke-filled room gloating that we
knew a secret and you didn't.
I believe wholeheartedly in full disclosure of all security problems.
Nothing else ultimately makes sense, particularly in the free software
world. That doesn't mean I think we have to actively help the black
hats; a few days of advance notice is just about all the advantage we
have, and we desperately need to make good use of it.
> All together I must say it was very professional and fast how the debian
> security team and other had done the treatment of the problem. Don't
> lower them by arguing with snakeoil about that the reaction was to fast!
> It can never be fast enough.
Note that I was myself heavily involved in producing some of the fixes
that went out in Debian security advisories. If the people directly
involved are not entitled to make comments on the process, who exactly
do you think is?
I think everyone involved did a wonderful job, especially given the
appalling constraints they were under. There is a difference, though,
between acknowledging the excellent work that was done and burying one's
head in the sand claiming that nothing could possibly have been
Colin Watson [email@example.com]