Re: Is openssl actually safe now? (was: debian infrastructure ssh key logins disabled, passwords reset)
2008/5/14 BALLABIO GERARDO <GERARDO.BALLABIO@mpsgr.it>:
> However I wonder, is the pristine behavior correct? As far as I know, it
> is NOT justified at all to rely on the assumption that uninitialized
> memory contains random data. I read that many architectures reset it to
> some magic number, e.g., 0xdeadbeef. Is that correct?
>
> If so, and if that was the ONLY entropy source used in generating keys,
> then upstream openssl is (and has always been) just as broken as the
> patched Debian package. While if it was only used in addition to other
> sources, all this is probably a non-issue.
I wonder if there could be some tool that created a big amount of
random keys and statistically check that the system was working
propely. Any chance of a tool like that can exist?
Miry
Reply to: