On Fri, 11 Apr 2014, Jonas Maebe wrote:
On 11 Apr 2014, at 10:26, Michael Van Canneyt wrote:
OTOH, I think people are hugely exaggerating the problem, considering it was
introduced relatively recently and that I got my security update before it hit
the newspapers.
That is of course not to say that it shouldn't be fixed and people shouldn't
bother.
But the way it is presented is more about scaring people than anything else.
Hysterics...
I very strongly disagree. All certificates and login data used with
vulnerable services over the past year or so should be considered
compromised. It will probably take months before all affected
certificates are replaced (if that ever happens for most of them), and
many of the replaced and hence potentially compromised certificates will
probably never be revoked. The result is a huge increase in chances for
man-in-the-middle attacks, not to mention all the compromised login data
and private information (emails, bank statements, ...).
Like I said, this is not to say that no action should be taken.
I expect that all sensitive sites (banks, google, etc) have taken immediate
action.
That the login of my local tennis/pool/golf club was compromised is not really
so scary, sorry.
Anyway, getting off topic.
The main point is that in FPC you can install a memory manager that wipes
out any memory when getting or releasing it, if you want to make your software more secure that way.
Michael.
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
