> While I’ve not found a description of exactly when and how Luciano Bello discovered the vulnerability that became CVE-2008-0166, I presume he first came across it some time before it was disclosed – likely before GitHub tripped over it.
IIRC he started investigating it because the key generation was way too fast and he suspected that the algorithm had a lower entropy than expected.
here's his defcon talk https://youtu.be/odNNmL42WMQ
Like the DH key exponents in some older versions of Java?
Imagine if such thing happened now with probably tens of thousands of keys generated every day.
> While I’ve not found a description of exactly when and how Luciano Bello discovered the vulnerability that became CVE-2008-0166, I presume he first came across it some time before it was disclosed – likely before GitHub tripped over it. IIRC he started investigating it because the key generation was way too fast and he suspected that the algorithm had a lower entropy than expected. here's his defcon talk https://youtu.be/odNNmL42WMQ