How I tripped over the Debian weak keys vulnerability

Crypto wallets, RNG bugs, and fallout

  • Several comments compare the Debian weak-key issue to potential RNG failures in Bitcoin or hardware wallets.
  • Past crypto incidents (Android wallets, vanity address tools, Wintermute hack, BitcoinJS “randstorm”) are cited as evidence that bad randomness in key generation is a real and recurring problem.
  • Concern is raised about large custodians and ETFs (e.g., relying on a single custodian rather than multi‑sig across entities) and what would happen if their cold-storage keys were weak or guessable.

Brute forcing keys and “indexing the keyspace”

  • One thread models the brute-force cost of 256‑bit ECDSA, even with extreme assumptions (world GDP, massive FPGA fleets, huge algorithmic speedups), concluding it remains infeasible within human timescales.
  • Another commenter suggests deterministically enumerating all seed values and building an index of all keys; others respond that:
    • This is computationally equivalent to brute forcing.
    • Storing such an index is physically impossible (more entries than atoms on Earth).
    • “Generate a few keys and hope to stumble on a used one” sites exist, but are likened to Library of Babel thought experiments, not realistic threats.
  • Quantum or “new physics” breakthroughs are acknowledged as the only plausible way to change this, but remain speculative.

Debian OpenSSL RNG bug mechanics

  • Clarification that OpenSSL did use /dev/urandom; the Debian patch accidentally removed the code path that mixed real entropy, leaving a low-entropy seed (PID-based).
  • Descriptions differ slightly: some say two copy sites existed and Debian removed both; another recounts multiple places where partially uninitialized buffers were mixed into the pool.
  • There is agreement that:
    • The original OpenSSL code invoked undefined behavior by reading uninitialized memory.
    • Debian’s patch was “lawful” from a UB standpoint but catastrophic in effect.
    • The bug was discussed on OpenSSL mailing lists before landing; it wasn’t a one-off reckless change.

GitHub’s SSH infrastructure

  • Discussion about how GitHub avoided weak Debian keys and managed huge numbers of user keys:
    • Historical use of custom key lookup (e.g., database-backed, libssh, “babeld” on port 22) instead of basic authorized_keys files.
    • Mention that modern OpenSSH has AuthorizedKeysCommand, but GitHub’s constant “git” SSH username and scale complicate naive approaches.

Testing, detection, and “many eyes”

  • Some argue better test coverage (e.g., checking for low-entropy seeds) could have caught the Debian issue; others note randomness can’t be fully validated this way.
  • An IRC snippet suggests the weakness was first noticed via unexpectedly frequent key collisions when generating many primes.
  • The thread reflects on how often serious bugs (like this, Heartbleed, xz backdoor) may exist unnoticed, and how open-source visibility helped detect and coordinate responses in those cases.

Open vs closed source security

  • One side claims open source increases the chance that odd behavior leads to code inspection and bug discovery; with closed source, that probability drops significantly.
  • Others counter that bugs and even exploitable vulns are routinely found in proprietary software (by customers, security teams, and attackers), but:
    • Reporting channels are weaker.
    • Vendors may ignore or downplay issues.
    • Legal threats can discourage disclosure.
  • Several comments propose a lifecycle: observe weird behavior → recognize it as dangerous → report/fix → propagate the remedy. Open source is seen as making steps 2–4 more likely to succeed.

Language, parsing, and side topics

  • Some discuss an ambiguous sentence in the blog post as an example of prepositional-phrase attachment ambiguity.
  • There’s a brief mention of UUID collision worries (usually unfounded in ideal conditions, but real when entropy sources are weak).
  • Another side note references large-scale scans for RSA keys sharing factors via GCD as a separate “weak key” episode.