A team of four security researchers, including U-M Prof. J. Alex Halderman, grad students Zakir Durumeric and Eric Wustrow, and UC San Diego postdoctoral researcher Nadia Heninger have released new research findings on the security of public keys. The researchers have developed a tool that can remotely compromise about 0.4% of all keys used for SSL website security on the Internet in a few hours.
The team has come forward with a blog post regarding their findings in response to a New York Times article on related research that incorrectly suggests that the vulnerability poses a threat to the security of web-based commerce. According to the U-M/UCSD team, the security flaw largely affects various kinds of embedded devices, such as routers and VPN devices, rather than popular web sites. The research team is preparing to publish a paper on their findings once they have notified the manufacturers of vulnerable devices.
Read the team's blog post at Freedom-to-Tinker
The issue is also under discussion on Slashdot.
ThreatPost, Feb 15: Weak RSA Keys Plague Embedded Devices, But Experts Caution Against Panic
ARS Technica, Feb 15: Crypto shocker: four of every 1,000 public keys provide no security
BoingBoing, Feb. 16: Prime Suspect, or Random Acts of Keyness
Benlog, Feb, 16: It's the Randomness, Stupid
Updated: February 16, 2012
Posted: February 15, 2012