If you are just catching up: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166 http://it.slashdot.org/article.pl?sid=08/05/13/1533212
Most of the talk has been about how SSH Servers and Client private keys are vulnerable.
However, Private x509 Keys generated by a vulnerable machine, and used by HTTPS are also guessable.
Debian and Ubuntu have made several tools to detect weak key signatures in OpenSSH and OpenVPN.
1) Shouldn't it be possible to write something that detects the weak private key fingerprint from the SSL handshake?
2) Should we remind users on [EMAIL PROTECTED] or another medium, that any x509 keys generated on an debian or ubuntu server, such as those used for HTTPS, in the last 2 years, should be re-generated?
Thanks, -Paul
