John Hasler grabbed a keyboard and wrote: > Henrique writes: >> It also includes the emails that were read over a >> heartbleed-vulnerable IMAP, and every data that went over a >> heartbleed-vulnerable VPN tunnel, for example. > > I wasn't aware that IMAP and VPN used heartbeat. I don't see that IMAP > is all that serious, though. Email isn't secure anyway.
That's all well and good, but I suspect that you probably don't login to
your IMAP server by sending your username and password in the clear.
And with a vulnerable version of the library, that's the kind of
information that an attacker can get access to.
> But I wonder how many VPN users are aware that they have a problem?
It would depend on what library was in use (OpenSSL or another) and what
version if OpenSSL. The VPN provider that I use conducted a complete
survey of their systems and determined that none of their critical
infrastructure was vulnerable, but they still decided to revoke and
rotate their certs and private keys just as an additional precautionary
measure.
--Dave
smime.p7s
Description: S/MIME Cryptographic Signature
