8 Apr
2014
8 Apr
'14
3:36 p.m.
Is there any indication out there as to how widely this bug has been exploited? I.e. if you've patched servers in the last 24 hours, how likely is it that your certificate keys have been leaked over the last months / year? Not looking for accurate numbers, just roughly where on the scale of, "this is possible but no reports of actual use" to "all the black hats have been doing this for years so you're screwed unless you re-issue and revoke your certs" the exploit lies. Also, last time I worried about this, certificate revocation was, uh, largely unimplemented. That was a while ago. How well does it work now? And with potentially large numbers of revoked certs? -- don