(no title)

However by far the worst part of it is the private key leakage. With that, all the other stuff it sees in memory that is sensitive is probably being transmitted over the wire anyway. Which means that is can be MITM'd. Granted that is a lot more work than just examining memory...

If you plug that hole with a system like this, a website owner could just expire sessions and require people to log in again. In addition, the sessions for the past 2 years wont be at risk, only the active sessions used that day.

In short, short-lived certificates will dramatically reduce the damage, not prevent all damage.

EDIT: Sorry I realised that you were just adding to the list of consequences to this bug, not arguing the mitigations I mention would be useless! =)