| From: | Steve Crawford <scrawford(at)pinpointresearch(dot)com> |
|---|---|
| To: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>, "Gabriel E(dot) Sánchez Martínez" <gabrielesanchez(at)gmail(dot)com>, Postgres General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: openssl heartbleed |
| Date: | 2014-04-10 23:40:44 |
| Message-ID: | 53472BFC.6090504@pinpointresearch.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 04/10/2014 01:01 AM, Albe Laurenz wrote:
> Steve Crawford wrote:
>
>> If you aren't and weren't running a vulnerable version or if the
>> vulnerable systems were entirely within a trusted network space with no
>> direct external access then you are probably at low to no risk and need
>> to evaluate the cost of updates against the low level of risk.
> If you are in a totally trusted environment, why would you use SSL?
>
I didn't say *totally* trusted - that doesn't exist. We use secure
connections inside our firewall all the time and sometimes
authentication convenience is as much a driving factor as security.
I didn't suggest someone *avoid* updating keys/certificates - just to
evaluate cost vs. risk as one must always do. But I'd submit that anyone
seriously concerned about this attack being launched from within their
internal network has a whole bunch of higher-priority security problems.
-Steve
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Haribabu Kommi | 2014-04-11 00:28:08 | Re: HOT standby on windows not working |
| Previous Message | CS_DBA | 2014-04-10 22:15:01 | HOT standby on windows not working |