openssl and NSA backdoor

Greg Woods woods at ucar.edu
Sun Dec 22 14:21:26 UTC 2013


On Sat, 2013-12-21 at 17:14 -0700, T.C. Hollingsworth wrote:

> 
> > And what about our certificates?  Are they more or less useless now?
> 
> There are no vulnerabilities related to X.509 certificates generated
> by OpenSSL (on Fedora or otherwise) that I am aware of.

The big vulnerability in the whole certificate authentication system is
not the certs themselves or the crypto based on them. It's the security
of the certificate authorities. There have been several well-publicized
incidents recently where CA's have been hacked and had certs stolen,
which allowed attackers to play man-in-the-middle (snooping on encrypted
connections) or put up fake certs to lure users to bogus web sites which
will check out as legit in the browsers. 

This of course does not apply to certs you generate yourself with
openssl, but CA-signed certs are more common on the net.

--Greg




More information about the users mailing list