Friday, May 16, 2008

How are your "Debian" SSL certs doing

Last night, while interviewing with Paul and Larry on the pauldotcom.com podcast, I had an interesting thought whilst bashing Debian and the latest OpenSSL party that they have created.

How many root Certificate Authorities run debian and generate signed ssl keys?

Obviously the implications on this are substantial.. I get in the middle of an affected ecom server/application and grab credit card numbers and identity info for a day or so.. then meander on my way. Alarming because of course it does not produce any real auditable trail for analysts to follow... I mean, there was no real break in as with TJX or Advance Auto....

So, the moral of this story is that you need to check with your CA and see if they issued you any certs/keys from any affected systems. If that is the case then they of course need to re-issue a known good cert/key to you.

I *hope* but doubt that it will happen, that any affected CA would notify their customer base if they had issued anything from an affected system.

Cheers,
JJC

4 comments:

Anonymous said...

---------- Forwarded message ----------
From: GoDaddy.com notice@godaddy.com
Date: Wed, Aug 27, 2008 at 2:33 PM
Subject: Second Notice: Avoid revocation of your SSL Certificate


******************************************
Second Notice: Avoid revocation of your SSL Certificate
******************************************


We recently sent you a notice warning you of a very serious vulnerability for the version of OpenSSL distributed with the Debian and Ubuntu operating systems. Learn more about this vulnerability here: http://help.godaddy.com/article/4562?&isc=gdp0844a

GoDaddy.com has identified the following SSL certificate(s) as having compromised private keys:

*******************
*******************

DON'T WAIT! Take these steps by September 15, 2008 or RISK REVOCATION* of your SSL certificate:

STEP 1. Patch the server where the SSL certificate is installed.
Please follow the recommendations from Debian (http://www.debian.org/security/2008/dsa-1571) or Ubuntu (http://www.ubuntu.com/usn/usn-612-4). You must patch the server first before proceeding to Step 2.

~ Please contact your hosting provider for assistance or call Go Daddy at 480-505-8852. Our support staff is here to help you 24/7.

STEP 2. Email us with the exact name of your certificate.
After completing Step 1, send an email to debiankeyissue@godaddy.com that includes the exact name of your certificate. You can find this information at https://certificates.godaddy.com or you can call our support staff at 480-505-8852 for assistance.

STEP 3. Follow the instructions in the return email.
Once we receive your email, we will enable a free re-key token for your SSL certificate. Detailed instructions about how to re-key your certificate using the token will be sent to you by email. Please note, you will only have seven days to use this free token before it expires, SO ACT NOW!

If you have any questions, please check the Go Daddy(R) Help Center links below or call our support staff at 480-505-8852.

GO DADDY HELP CENTER LINKS:

What does it mean to re-key a certificate?
http://help.godaddy.com/article/867

Generating a Certificate Signing Request (CSR)
http://help.godaddy.com/topic/236/article/560

CSR Generation Instructions
https://certs.godaddy.com/CSRgeneration.go

Re-Key FAQ
https://certs.godaddy.com/Faq.go#re-key

Sincerely,

GoDaddy.com

*Because of the seriousness of this vulnerability, we are exercising our certificate-revocation rights per your user subscriber agreement.

Go Daddy is always looking out for your Internet safety. Learn how to verify legitimate emails and detect email fraud by visiting GoDaddy.com and clicking "Security Center" under "About Go Daddy."

----------------------------------------------------------

Copyright (C) 2008 GoDaddy.com, Inc. All Rights Reserved.

Anonymous said...

surprising.... considering how horrible that they are, or have been.

Basti said...

i get an error by patching & compiling barnyard.

error message during compiling (after patching):

configure: WARNING: `missing' script is too old or missing

thx for any help

JJC said...

What version of BY are you patching and how are you doing it?