OpenSSL heartbleed bug / Shibboleth implications

Cantor, Scott cantor.2 at
Tue Apr 8 09:54:16 EDT 2014

On 4/8/14, 5:06 AM, "Peter Schober" <peter.schober at> wrote:
>Does that really affect the SP's private key? I would have expected
>the priveledge seperation via shibd to prevent such problems?

Ian's correct, my understanding is that connecting as a client also
exposes that client's key to a hostile server. The mitigation with the SP
is that it doesn't generally connect to anything but IdPs and metadata
locations, unless I'm overlooking something.

I don't expect *massive* fallout on the IdP side because 1.0.1 was
relatively rare until very recently with the push to get TLS 1.1 and 1.2
deployed. But I really don't know the volume there, so I felt I needed to
highlight this.

-- Scott

More information about the users mailing list