CAs Not Getting Big Response to Debian Encryption Flaw

Enterprises aren't rushing to accept offers from some CAs to replace affected SSL certificates free of charge.

If the experiences of some certificate authorities are any indication, fallout from a vulnerability affecting Debian-based encryption keys has not rippled out as far among enterprises as some have feared-yet.

Some CAs issuing replacement certificates free of charge to enterprises affected by the flaw reported that enterprises have not jumped at their offers for a variety of reasons.

The now-patched vulnerability, reported by the Debian Project May 13, allows a hacker to use brute-force guessing attacks to decipher keys in SSH (Secure Shell), DNSSEC (Domain Name System Security Extensions), OpenVPN, X.509 certificates and session keys used in SSL/TLS (Secure Sockets Layer/Transport Layer Security) connections.

The vulnerability has existed since September 2006, and officials with the Debian Project recommend that all cryptographic key material generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems be considered compromised and recreated from scratch.

Since the flaw was announced, CAs have stepped up to offer free replacement of SSL certificates for enterprises affected by the situation. But officials at VeriSign and Comodo Group say there has not been a groundswell of enterprises taking them up on it.

"We're not seeing much of it, to be honest," said Melih Abdulhayoglu, CEO of Comodo. "It will take time for the [system administrators] who are running Debian ... I think one of the biggest issues is what are these people doing to check the vulnerabilities. I don't think everyone is realizing right now that they are vulnerable and running to us."

There is also the fact that Debian is not the most popular Linux distribution, Abdulhayoglu said.

Still, potentially replacing two years' worth of keys could represent a formidable task for enterprises that are affected, analysts have said.

"In the event that an enterprise did have to replace a large number of certificates, the main difficulty it would face would simply be the logistics of turning over that many certificates and getting all the right parts in all the right places," said Tim Callan, vice president of SSL product marketing at VeriSign.

However, enterprises are capable of flipping their entire certificate base in less than a month if it is worth their while, Callan noted.

Businesses are still investigating the impact of the vulnerability, he added, and it may take a while for CAs to see an outpouring of requests for replacement certificates.

"Even those companies who do need the update and are aware of it might not have been able to reissue their certificates yet," Callan said. "They have to install the Debian patch, satisfy themselves that it's working correctly, figure out which [certificates] need replacement, revoke them and replace them with the new certificates. That's a lot of steps and the part where they touch the CA is not until the end of that list."