Straw Poll -- Weak SSL/SSH keys

Jonathan Bennett jonathan.bennett at heise-online.co.uk
Mon Jun 16 11:26:48 BST 2008


I crave your collective indulgence.

You are all, I assume, aware of the Debian weak keys issue. No doubt any
of you affected by it have already updated your systems, retired your
old keys and generated new ones. However, not everyone out there is
quite so diligent, and some servers still have weak keys in place.

Some of these are SSL servers, like wot is used to do e-commerce, an' 
that. The issue here is that, in theory, an attacker could decrypt the 
traffic and recover your credit card details, since brute forcing the 
server's private key is that much easier. You could also be talking to a 
fake server for the same reason, but this doesn't make much difference 
to the information an attacker can collect.

What I'd like to know is:

1) Do you care?
2) If not, why not?
3) Would you ever bother testing a site's certificate for a weak key 
before doing business with them?


J.



More information about the london.pm mailing list