this must have been the biggest SLA research anytime
The researchers said in an examination of 6.4 million distinct X.509 certificates and PGP keys containing RSA moduli, 71,052 (1%) occur more than once, some of them thousands of times. "Overall, over the data we collected, 1024-bit RSA provides 99.8% security at best," the paper states.
now it still means that your security is high
but if you are a really important security intelligence financial or critical infrastructure or military or espionage service than there is a problem
because if you have the same key or certificate as any other service than that key can be used to impersonate you or your service - under certain conditions and the most important is that you have bought strong and expensive certificates (not just a global domain or just for the ip address or other worthless certificates like that - make believe certificates)
and no one will see and everybody will think that they are safe - because encrypted by a certificate
now the biggest and most valuable information in the world is
getting the list with all the certificates that are the same
the best thing to do is to change them all
and for RSA - who has some issues with the research (but it is too late for that) - to start checking themselves all their certificates with software robots to be sure that by chance or bad luck no two certificates are the same or could be used as such
yeah attacks against the certificates are going to continue and it is up for the business to get their act together - instead of complaining that rats are getting in through the holes or that researchers are discovering weaknesses they should have addressed already long time ago
meanwhile about 12OOO networks and installations are receiving an alert that they will have to change their certificate and re-install another one, although this isn't always that simple (to make and process) and to install and eventually in an interconnected network get the different certificates to work together (especially if some are playing with openssl ....)
but it is race against the time .....
anyone with some very fast computers and networkconnections can do exactly the same research (eventually helped by some special program) so it means that the same mistake can't be made again (one will have to check eventually if the same key has always be made 'ad random' before releasing it). People know that it takes a few days before you receive effectively your certificate, so it would be no problem prolonging this a bit with a full check of the certificates already delivered