[fpc-pascal] Processing passwords etc.
Michael Van Canneyt
michael at freepascal.org
Fri Apr 11 11:03:43 CEST 2014
On Fri, 11 Apr 2014, Jonas Maebe wrote:
> On 11 Apr 2014, at 10:26, Michael Van Canneyt wrote:
>> OTOH, I think people are hugely exaggerating the problem, considering it was introduced relatively recently and that I got my security update before it hit the newspapers.
>> That is of course not to say that it shouldn't be fixed and people shouldn't bother.
>> But the way it is presented is more about scaring people than anything else. Hysterics...
> I very strongly disagree. All certificates and login data used with
> vulnerable services over the past year or so should be considered
> compromised. It will probably take months before all affected
> certificates are replaced (if that ever happens for most of them), and
> many of the replaced and hence potentially compromised certificates will
> probably never be revoked. The result is a huge increase in chances for
> man-in-the-middle attacks, not to mention all the compromised login data
> and private information (emails, bank statements, ...).
Like I said, this is not to say that no action should be taken.
I expect that all sensitive sites (banks, google, etc) have taken immediate action.
That the login of my local tennis/pool/golf club was compromised is not really so scary, sorry.
Anyway, getting off topic.
The main point is that in FPC you can install a memory manager that wipes
out any memory when getting or releasing it, if you want to make your software more secure that way.
More information about the fpc-pascal