Alarming Open-Source Security Holes
Technology Review (05/20/08) Garfinkel, Simson
An open-source programming error made in May 2006 that reduced the amount of randomness used to create cryptographic keys in the widely used OpenSSL library have created serious security vulnerabilities in at least four open-source operating systems, 25 applications programs, and millions of computer systems. Although the vulnerability was discovered on May 13 and a patch has been distributed, installing the patch does not repair damage to the compromised systems and some computers may be compromised even though they are not running the code. Modern computer systems use large numbers to generate keys that are used to encrypt and decrypt data sent over a network. The error reduces the number of different keys that Linux computers can generate to 32,767, making it significantly easier for hackers to guess the key. Moreover, keys created by the computers with the error are not fixed when the patch is installed. It's impossible to know how many computers are affected because vulnerable keys could have been transferred to non-open source systems if a file encrypted by the flawed system was transferred to another system. The error was made when programmers incorrectly used a tool that was intended to catch programming bugs that lead to security vulnerabilities. Programs that use OpenSSL include the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network, secure email programs, and many others.
Click Here to View Full Article
No comments:
Post a Comment