A bug in the Debian-modified version of OpenSSL (also used by Ubuntu) means that cryptographic keys generated on Debian systems for the last couple of years may be insecure. Instead of being well randomized, they are easily guessable.
More information about the vulnerability is here; how to fix it here.
How much does this matter? The full scope has not emerged yet; but as I understand it, it affects self-generated keys. Those who purchased certificates from a third-party certificate authority are not affected, unless one of those authorities turns out to have been using the broken version which is unlikely. Even if you purchased certificates from a third-party certificate authority, you would still be affected if you generated the certificate request on a system with the broken OpenSSL library (thanks to Nico for the correction below).
This means that a large number of supposedly secure SSH connections or SSL connections to web sites and servers over the last couple of years were actually not very secure at all.
If nothing else, it shows how easy it is to be falsely reassured, to think you are secure when you are not.
It also shows the risks of modifying security code. The problem is not with OpenSSL, but with changes made by a Debian coder who thought he was fixing something when in fact he was breaking it.
This site runs on Debian and I’ve spent some time today checking it for vulnerability and regenerating keys.
Those who purchased certificates from a third-party certificate authority are not affected, unless one of those authorities turns out to have been using the broken version which is unlikely.
Time ago I worked quite a bit with certificates. The keys are generated by you, so you would be affected if you used OpenSSL to generate them. After the key pair generation, you send the certificate request (public key + the info you want to be visible in the certificate) to the certificate authority to sign. The private key never ever leaves your system.
This process is somehow blurred by the fact that sometimes it’s initiated by a web application, that starts a complex protocol, really done inside the browser.
Think about it: the private key is something very secret and personal, how could the CA be trusted to have it, just for a second, much less to create it?
In the case of the OpenSSL command-line tool, the key pair and the certificate request are manually created and then send to the CA. I don’t know if open source browsers use OpenSSL under the hood in Debian. But then, my understanding is that they’re affected.
@Nico thanks for the correction; I’ve updated the post. I should have known as I’ve done this myself recently – see separate post about buying a code-signing cert. from Thawte:
http://www.itwriting.com/blog/?p=597
Tim