A
andrew.may
Guest
My understanding of the heartbleed bug is that it could leak arbitrary data from memory, (including SSL keys) without leaving any trace in logs . This means that any SSL key that was present in memory on a server that was running an affected version of OpenSSL cannot be guaranteed to still be secret. That is why the standard advice is to revoke & reissue all certificates that could have been leaked by a server. The above Progress statement seems to imply that they may not be planning on revoking & re-issuing their certificates. Given that a compromised certificate would allow anyone to perfectly run a Man-In-The-Middle attack, I would hope that this is not the case. I don't much like the idea of not being sure that I'm really talking to Progress while uploading source to MAB & downloading executables. Any chance of a comment from Progress about certificate revocation plans?
Continue reading...
Continue reading...