Enterprises aren't rushing to accept offers from some CAs to replace affected SSL certificates free of charge.
If the experiences of some certificate authorities are any indication, fallout
from a vulnerability affecting Debian-based encryption keys
has not rippled out
as far among enterprises as some have feared-yet.
Some CAs issuing replacement certificates free of charge to enterprises
affected by the flaw reported that enterprises have not jumped at their offers
for a variety of reasons.
The now-patched vulnerability, reported by the Debian Project May 13, allows
a hacker to use brute-force guessing attacks to decipher keys in SSH (Secure
Shell), DNSSEC (Domain Name System Security Extensions), OpenVPN, X.509
certificates and session keys used in SSL/TLS
(Secure Sockets Layer/Transport Layer Security) connections.
The vulnerability has existed since September 2006, and officials with the
Debian Project recommend that all cryptographic key material generated by
OpenSSL versions starting with 0.9.8c-1 on Debian systems be considered
compromised and recreated from scratch.
Since the flaw was announced, CAs have stepped up to offer
free replacement of SSL certificates for
enterprises affected by the situation. But officials at VeriSign and
Comodo Group say there has not been a groundswell of enterprises taking
them up on it.
"We're not seeing much of it, to be honest," said Melih
Abdulhayoglu, CEO of Comodo. "It will
take time for the [system administrators] who are running Debian ... I think one
of the biggest issues is what are these people doing to check the
vulnerabilities. I don't think everyone is realizing right now that they are
vulnerable and running to us."
There is also the fact that Debian is not the most popular Linux
distribution, Abdulhayoglu said.
Still, potentially replacing two years' worth of keys could represent a
formidable task for enterprises that are affected, analysts have said.
"In the event that an enterprise did have to replace a large number of
certificates, the main difficulty it would face would simply be the logistics
of turning over that many certificates and getting all the right parts in all
the right places," said Tim Callan, vice president of SSL
product marketing at VeriSign.
However, enterprises are capable of flipping their entire certificate base
in less than a month if it is worth their while, Callan noted.
Businesses are still investigating the impact of the vulnerability, he
added, and it may take a while for CAs to see an outpouring of requests for
"Even those companies who do need the update and
are aware of it might not have been able to reissue their certificates
yet," Callan said. "They have to install the Debian patch, satisfy
themselves that it's working correctly, figure out which [certificates] need
replacement, revoke them and replace them with the new certificates. That's a
lot of steps and the part where they touch the CA is not until the end of that