I’m not sure of the time that it takes to test every conceivable key available to the encryption … but it’s freaking LONG time. A period which is deemed so long that the relevance of the information is quite low. In the case of “social security numbers” in the USA, that’s a 90yr lifetime, so I’m assuming that the time required to brute force the encryption open is many times that.
This problem manifests in 2 ways:
- Communications encryptions.
- File encryptions.
If someone intercepts a communications packet (or many packets) between an affected Debian based server and any (OS) client, there is a significantly reduced range of possible encryption keys that the server will use to negotiate comms with the client, so brute forcing the intercepted packets open will be much faster since they only need to check a very small subset of the possible keys. This could mean a matter of days or weeks of brute forcing, meaning the information inside can still be relevant.
How often do you change your internet banking password?
The second way is file encryptions on the servers, or personal file security, which is probably less of a problem than the interception problem, as the crackers would need local access to the server, or to have previously intercepted packets between an affected server & a remote administrator.
That said, crackers could already have intercepted communications with financial institutions, or other matters of interest within the last few years … and recorded it somewhere … with the discovery & publication of this limited range, they can now focus on brute-forcing anything recorded since the problem began, and it will likely be open to them within a short time.
Quick … everyone change all your internet passwords