On 04/10/2014 01:01 AM, Albe Laurenz wrote:
Steve Crawford wrote:
If you aren't and weren't running a vulnerable version or if the
vulnerable systems were entirely within a trusted network space with no
direct external access then you are probably at low to no risk and need
to evaluate the cost of updates against the low level of risk.
If you are in a totally trusted environment, why would you use SSL?
I didn't say *totally* trusted - that doesn't exist. We use secure
connections inside our firewall all the time and sometimes
authentication convenience is as much a driving factor as security.
I didn't suggest someone *avoid* updating keys/certificates - just to
evaluate cost vs. risk as one must always do. But I'd submit that anyone
seriously concerned about this attack being launched from within their
internal network has a whole bunch of higher-priority security problems.
-Steve
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
