wiki:openssl_vulnerability_2008-05

OpenSSL Vulnerability Discovered

Date: 2008-05-14

This week, a security problem was discovered in the Debian operating system used by May First/People Link servers and announced within the Debian community (which is world-wide). This problem could potentially allow someone to read encrypted data sent between your computer and our servers.

To our knowledge, this has not happened to us and we are in the process of updating all of servers to ensure that they are not vulnerable. As a result of these updates, some users may experience error messages that you did not see before.

Who is affected?

The only members who will be affected are members that:

  • Use Secure FTP or secure shell (ssh) to connect to either malcolm.mayfirst.org or mandela.mayfirst.org (viewsic.mayfirst.org and chavez.mayfirst.org are not affected).
  • Use our offsite backup system
  • Use an SSL certificate for a secure web site (https) and you generated your SSL key using Debian software betwen 2006-09-17 and 2008-05-15.

Secure Shell/Secure FTP users

We are updating the keys on malcolm.mayfirst.org and mandela.mayfirst.org at 5:30 pm Americas/New_York time, Wednesday, May 14 .

After his update takes place, you will get a message when you attempt to secure FTP or secure shell into one of these computers indicating that the host key has changed. The message may say something like:

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

Please see our host key changed help file to avoid getting that message in the future.

Offsite backup users

We are updating the keys on our offsite backup server at 9:30 am Americas/New_York time, Thursday, May 15.

If you are using our offsite backup system - you will also get the host key changed error when your backup runs Thursday night/Friday morning. However, it will happen during your automated backup process, causing your automated backup to fail until you follow the directions and import the proper new host key.

More Information

Keep in mind that this does not affect your information or any of the functionality you have on our servers. We have not been compromised. We're just in touch because you may see this message and become concerned.

Host keys are random bits of text that are unique to every server. The randomness of the keys allows us to have a secure, encrypted connection between you and the server. Due to a bug in the software used to generate our host keys, they were not generated in a way that was random enough: the range of bits used to create the keys was limited to a guessable number. This means that, with the proper program and lots of time, a hacker could "guess" the key. Not likely but possible and possible is good enough for us. To fix the problem, we had to re-generate all the affected keys and that's what's causing that error.

Please see the Debian wiki page for a full explanation of the security problem.

Last modified 11 years ago Last modified on Aug 28, 2008, 1:52:04 PM