Scott Yilek
Stefan Savage
ABSTRACT
We report on the aftermath of the discovery of a severe vulnerability in the Debian Linux version of OpenSSL. Systems affected by the bug generated predictable random numbers, most importantly public/private keypairs. To study user response to this vulnerability, we collected a novel dataset of daily remote scans of over 50,000 SSL/TLS-enabled Web servers, of which 751 displayed vulnerable certificates. We report three primary results. First, as expected from previous work, we find an extremely slow rate of fixing, with 30% of the hosts vulnerable when we began our survey on day 4 after disclosure still vulnerable almost six months later. However, unlike conventional vulnerabilities, which typically show a short, fast fixing phase, we observe a much flatter curve with fixing extending six months after the announcement. Second, we identify some predictive factors for the rate of upgrading. Third, we find that certificate authorities continued to issue certificates to servers with weak keys long after the vulnerability was disclosed.
- P. Abeni, L. Bello, and M. Bertacchini. Exploiting DSA-1571: How to break PFS in SSL with EDH, July 2008. http://www.lucianobello.com.ar/exploiting_DSA-1571/index.html.Google Scholar
- A. Becherer, A. Stamos, and N. Wilcox. Cloud computing security: Raining on the trendy new parade. Presented at BlackHat USA 2009, July 2009. Online: http://www.isecpartners.com/files/Cloud.BlackHat2009-iSEC.pdf.Google Scholar
- I. Goldberg and D. Wagner. Randomness and the Netscape browser. Dr. Dobb's Journal, pages 66--70, Jan. 1996.Google Scholar
- S. Kent and K. Seo. Security Architecture for the Internet Protocol. RFC 4301, Internet Engineering Task Force, Dec. 2005. Protocol Architecture. RFC 4251, Internet Engineering Task Force, Jan. 2006.Google Scholar
- D. G. Kleinbaum. Survival Analysis: A Self-Learning Text. Springer, 1996.Google Scholar
- B. Laurie. Debian and OpenSSL: The aftermath, May 2008. http://www.links.org/?p=328.Google Scholar
- B. Laurie. Vendors are bad for security, May 2008. http://www.links.org/?p=327.Google Scholar
- B. Laurie and R. Clayton. OpenID/Debian PRNG/DNS cache poisoning advisory, Aug. 2008. www.links.org/files/openid-advisory.txt.Google Scholar
- H. Lee, T. Malkin, and E. Nahum. Cryptographic strength of SSL/TLS servers: Current and recent practices. In C. Dovrolis and M. Roughan, editors, Proceedings of IMC 2007, pages 83--92. ACM Press, Oct. 2007. Google ScholarDigital Library
- F. Leisch. Sweave: Dynamic generation of statistical reports using literate data analysis. In W. Härdle and B. Rönz, editors, Compstat 2002 - Proceedings in Computational Statistics, pages 575--80. Physica Verlag, Heidelberg, 2002.Google Scholar
- M. Mueller. Debian OpenSSL predictable PRNG bruteforce SSH exploit, May 2008. http://milw0rm.com/exploits/5622.Google Scholar
- E. Murray. SSL server security survey, July 2000. Archived copy online: http://web.archive.org/web/20031005013455/http://www.lne.com/ericm/papers/ssl_servers.html.Google Scholar
- Netcraft. Netcraft SSL survey. news.netcraft.com/SSL-Survey/, Jan. 2008.Google Scholar
- R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2008.Google Scholar
- T. Ramos. The Laws of Vulnerabilities. RSA Conference, 2006. http://www.qualys.com/docs/Laws-Presentation.pdf.Google Scholar
- E. Rescorla. Security holes... who cares? In V. Paxson, editor, Proc. 12th USENIX Security Symp., pages 75--90. USENIX, Aug. 2003. Google ScholarDigital Library
- S original by Terry Therneau, ported by Thomas Lumley. survival: Survival Analysis, including Penalised Likelihood. R package version 2.34.Google Scholar
- The Debian Project. openssl - predictable random number generator. DSA-1571-1, May 2008. http://www.debian.org/security/2008/dsa-1571.Google Scholar
- W. N. Venables and B. D. Ripley. Modern Applied Statistics with S. Springer, New York, fourth edition, 2002.Google Scholar
- T. Ylonen and C. Lonvick. The Secure Shell (SSH) Protocol Architecture. RFC 4251, Internet Engineering Task Force, Jan. 2006.Google Scholar
Index Terms
- When private keys are public: results from the 2008 Debian OpenSSL vulnerability
Recommendations
Dual-Level Attack Detection, Characterization and Response for Networks Under DDoS Attacks
DDoS attacks aim to deny legitimate users of the services. In this paper, the authors introduce dual-level attack detection D-LAD scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors MaLAD attempt to ...
An OWASP Top Ten Driven Survey on Web Application Protection Methods
Risks and Security of Internet and SystemsAbstractWeb applications (WAs) are constantly evolving and deployed at broad scale. However, they are exposed to a variety of attacks. The biggest challenge facing organizations is how to develop a WA that fulfills their requirements with respect to ...
Analysis of a Security Incident of Open Source Middleware - Case Analysis of 2008 Debian Incident of OpenSSL
SAINT '09: Proceedings of the 2009 Ninth Annual International Symposium on Applications and the InternetOpen source software is proved to be very useful in saving time and cost in building software of complex functions. Security is not an exception of this trend. A problem in securityware is the guarantee of its quality on security. In this paper, we ...
Comments