Netcraft’s June SSL Survey has found that a significant number of SSL certificates are affected by the Debian OpenSSL vulnerability, including Extended Validation SSL certificates and certificates belonging to banks.
The vulnerable certificates afford opportunities to create deceptive sites which use apparently valid SSL certificates, giving the user the impression that the site belongs to the certified organisation. In the case of EV certificates, browsers will also turn the address bar green, even though the certificate may be cloned.
From an attacker’s point of view, the main limitation is that the browser will warn the user if the certificate common name does not match the name used by the user to access the site, so the attacker would need to affect the user’s network or the DNS results to get a completely seamless attack.
The following screenshot demonstrates the feasibility and effectiveness of such an attack.
Example based on vulnerable site found via Netcraft’s SSL Survey database.
On the 13th May, Debian released a security advisory (also described in CVE-2008-0166) announcing a vulnerability in Debian’s OpenSSL package, which made it possible to discover private keys from public SSL and SSH keys. The issue affects all versions of OpenSSL on Debian-based operating systems over the course of two years — ever since two lines of code were commented out to prevent compilers displaying warnings about the use of uninitialized data.
The removal of these two lines of code vastly decreases the entropy of the seed used by the pseudo-random number generator in OpenSSL, making it easier to predict the random numbers generated by OpenSSL. This makes it easy for remote attackers to conduct offline brute force attacks against the cryptographic keys used in SSL certificates generated on vulnerable systems. All SSL and SSH keys generated on Debian-based operating systems since September 2006 may be affected. Affected operating systems include Ubuntu, Kubuntu, Knoppix, Grml and the Xandros Linux distribution used by the popular Asus Eee PC.
HD Moore has published an analysis of the Debian OpenSSL issue at Metasploit, noting how the keys are tied to the process ID. Using 31 Xeon cores clocked at 2.33GHz, Moore was able to generate all 1024-bit DSA and 2048-bit RSA keys for x86 architectures in only 2 hours, and all 4096-bit RSA keys in about 6 hours.
Although a number of certificate authorities have offered free replacement certificates to customers affected by the Debian OpenSSL vulnerability, it has been reported that they have not been getting a big response. Comodo is offering a free replacement SSL certificate to any affected business, regardless of their original provider, while VeriSign is offering free reissuance for both SSL certificates and code signing certificates. GeoTrust and Thawte also offer free SSL certificate reissuance, and RapidSSL certificates can be renewed for free at GeoTrust’s website.