The linked presentation above came up in a discussion the other day on IRC about what to do with certificates and SSH host keys.
I hadn’t really thought about this. Sometimes it feels like once you put on your “somebody else is thinking about security” blinders, the world just starts moving faster and the ideas get more interesting. Unfortunately, at this high speed, I have to wonder if the impact may not be fatal for some heavy cloud (ab)users.
To “see what I’m on about”, skip ahead to slide #66 to see the bits about random numbers.
I keep thinking back to the days where I would open up “pSSH” on my Palm Treo 650 and it would warn me “This device has no real random number capabilities, so the crypto is probably pretty sketchy, be careful.” Unfortunately, our ssh clients on cloud instances aren’t telling us that. Somebody needs to put “fix random seeding in the cloud” on their todo list. Oh wait, I just did.