The consequences of the Debian OpenSSL compromise
Although this is rather behind the times, I don't think I've seen the practical consequences of the Debian OpenSSL vulnerability written down clearly and in one place. So here is my list, concentrating on SSH and SSL certificates:
- SSH host keys and personal SSH keys generated on a vulnerable system are entirely compromised.
- OpenSSL generated SSL certificates are compromised. This especially includes signed certificates used on public websites; if this applies to you, get ready to explore the marvelous world of certificate compromises.
- any SSH DSA key used from a vulnerable machine could have been
- pretty much any SSH session involving a vulnerable machine (on either
end) can be decrypted by an attacker, because of how SSH does
encryption. It is important to
understand that this has nothing to do with whether or not you are
using vulnerable keys and either end can destroy the effectiveness
of the session encryption.
- even with uncompromised SSL certificates, some SSL sessions involving a vulnerable machine (on either end) can be decrypted. Affected sessions are those using SSL forward secrecy.
- I believe that most sessions not using SSL forward secrecy can be decrypted if they involve a compromised SSL certificate, regardless of whether the session involves any vulnerable machines.
Or in short: even if you are not using bad keys or certificates, a vulnerable system is still bad news.
Complicating the SSL situation is the issue of which source of SSL libraries an application uses. Some number of Debian systems have both OpenSSL and GNUTLS installed, and GNUTLS is not vulnerable. So an application using GNUTLS does not lose any perfect forward secrecy it had, while if it did not have PFS, its sessions are still vulnerable if it was using a compromised certificate generated by OpenSSL. (The converse is true; a certificate generated by GNUTLS on a vulnerable system is not vulnerable.)
(OpenSSH always uses OpenSSL and people usually generate certificates with OpenSSL, although not always. Web servers, IMAP servers, and so on can vary widely, although in practice most use OpenSSL.)
Note: 'Debian' here includes all Debian derived distributions, which includes at least Ubuntu (and its variants), Knoppix, and Xandros.