Re: openssl heartbleed
| От | Steve Crawford |
|---|---|
| Тема | Re: openssl heartbleed |
| Дата | |
| Msg-id | 53472BFC.6090504@pinpointresearch.com обсуждение исходный текст |
| Ответ на | Re: openssl heartbleed (Albe Laurenz <laurenz.albe@wien.gv.at>) |
| Список | pgsql-general |
On 04/10/2014 01:01 AM, Albe Laurenz wrote: > Steve Crawford wrote: > >> If you aren't and weren't running a vulnerable version or if the >> vulnerable systems were entirely within a trusted network space with no >> direct external access then you are probably at low to no risk and need >> to evaluate the cost of updates against the low level of risk. > If you are in a totally trusted environment, why would you use SSL? > I didn't say *totally* trusted - that doesn't exist. We use secure connections inside our firewall all the time and sometimes authentication convenience is as much a driving factor as security. I didn't suggest someone *avoid* updating keys/certificates - just to evaluate cost vs. risk as one must always do. But I'd submit that anyone seriously concerned about this attack being launched from within their internal network has a whole bunch of higher-priority security problems. -Steve
В списке pgsql-general по дате отправления: