WHO IS IMPACTED AND WHY?

For customers who host their sites on a Debian OS (or its derivatives) to generate a key pair used to request a certificate, that key pair (and the corresponding certificate) is vulnerable.

This is due to a flaw in the Debian-specific random number generation that results in relatively predictable key pair values, making them highly exploitable.

WHAT CAN YOU DO?

If you or your customers are running Debian operating systems and derivatives (such as Ubuntu) released between September 17, 2006 and May 12, 2008 you should deploy a recently released Debian patch and revoke and replace all SSL and Code Signing certificates for which keys were created on these operating systems. Debian has released a testing tool to confirm whether your certificates are affected. This tool and other useful information can be found here:

http://lists.debian.org/debian-security-announce/2008/msg00152.html

NOTE: Inland Pacific Consulting does not host any accounts on Debian Operating Systems. We host strictly on the new Microsoft Windows 2008 64 bit operating system. Consequently none of our clients are effected by the above security flaw.