On 11 Apr 2014, at 10:26, Michael Van Canneyt wrote:

> OTOH, I think people are hugely exaggerating the problem, considering it was 
> introduced relatively recently and that I got my security update before it 
> hit the newspapers.

The exploit code was also on github before news about the bug hit the 
newspapers. There is even some evidence it may have been exploited for at least 
3 months already, maybe longer (because unless you used some special intrusion 
detection system rules, it left no traces at all in the log files, so there's 
only very little data to go on).

Also, the fact that you updated your server so quickly, doesn't mean that 
everyone did. Our university's mail servers were only patched yesterday morning 
(more than 24 hours after the story broke), because they needed time to prepare 
the patching (don't ask, I don't know the details). I bet tons of credentials 
and private data has been accessed over the past days all over the world.

> That is of course not to say that it shouldn't be fixed and people shouldn't 
> bother.
> But the way it is presented is more about scaring people than anything else. 
> Hysterics...

I very strongly disagree. All certificates and login data used with vulnerable 
services over the past year or so should be considered compromised. It will 
probably take months before all affected certificates are replaced (if that 
ever happens for most of them), and many of the replaced and hence potentially 
compromised certificates will probably never be revoked. The result is a huge 
increase in chances for man-in-the-middle attacks, not to mention all the 
compromised login data and private information (emails, bank statements, ...).


Jonas
_______________________________________________
fpc-pascal maillist  -  fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Reply via email to