On 04/10/2014 01:01 AM, Albe Laurenz wrote:
> Steve Crawford wrote:
>
>> If you aren't and weren't running a vulnerable version or if the
>> vulnerable systems were entirely within a trusted network space with no
>> direct external access then you are probably at low to no risk and need
>> to evaluate the cost of updates against the low level of risk.
> If you are in a totally trusted environment, why would you use SSL?
>
I didn't say *totally* trusted - that doesn't exist. We use secure
connections inside our firewall all the time and sometimes
authentication convenience is as much a driving factor as security.
I didn't suggest someone *avoid* updating keys/certificates - just to
evaluate cost vs. risk as one must always do. But I'd submit that anyone
seriously concerned about this attack being launched from within their
internal network has a whole bunch of higher-priority security problems.
-Steve