OpenSSL heartbleed bug / Shibboleth implications
Cantor, Scott
cantor.2 at osu.edu
Tue Apr 8 09:54:16 EDT 2014
On 4/8/14, 5:06 AM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>
>Does that really affect the SP's private key? I would have expected
>the priveledge seperation via shibd to prevent such problems?
>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPArchitecture
Ian's correct, my understanding is that connecting as a client also
exposes that client's key to a hostile server. The mitigation with the SP
is that it doesn't generally connect to anything but IdPs and metadata
locations, unless I'm overlooking something.
I don't expect *massive* fallout on the IdP side because 1.0.1 was
relatively rare until very recently with the push to get TLS 1.1 and 1.2
deployed. But I really don't know the volume there, so I felt I needed to
highlight this.
-- Scott
More information about the users
mailing list