Friday, May 16, 2008

How are your "Debian" SSL certs doing

Last night, while interviewing with Paul and Larry on the pauldotcom.com podcast, I had an interesting thought whilst bashing Debian and the latest OpenSSL party that they have created.

How many root Certificate Authorities run debian and generate signed ssl keys?

Obviously the implications on this are substantial.. I get in the middle of an affected ecom server/application and grab credit card numbers and identity info for a day or so.. then meander on my way. Alarming because of course it does not produce any real auditable trail for analysts to follow... I mean, there was no real break in as with TJX or Advance Auto....

So, the moral of this story is that you need to check with your CA and see if they issued you any certs/keys from any affected systems. If that is the case then they of course need to re-issue a known good cert/key to you.

I *hope* but doubt that it will happen, that any affected CA would notify their customer base if they had issued anything from an affected system.

Cheers,
JJC