OpenSSL heartbleed bug / Shibboleth implications
Leif Johansson
leifj at sunet.se
Tue Apr 8 10:00:20 EDT 2014
On 2014-04-08 15:54, Cantor, Scott wrote:
> On 4/8/14, 5:06 AM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>>
>> Does that really affect the SP's private key? I would have expected
>> the priveledge seperation via shibd to prevent such problems?
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPArchitecture
>
> Ian's correct, my understanding is that connecting as a client also
> exposes that client's key to a hostile server. The mitigation with the SP
> is that it doesn't generally connect to anything but IdPs and metadata
> locations, unless I'm overlooking something.
>
It looks like "it depends".
Running the common sslscan.py against stuff actually gets you sessions
on most HTTPS servers I've tried but nothing that looks like private key
material. That may just be cause I'm bad at mounting attacks though.
The prevalent guess over here is that most of the attacks right now are
being mounted against things that might have bitcoins in memory and so
we have a couple of days until those opportunities have closed :-)
> I don't expect *massive* fallout on the IdP side because 1.0.1 was
> relatively rare until very recently with the push to get TLS 1.1 and 1.2
> deployed. But I really don't know the volume there, so I felt I needed to
> highlight this.
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
More information about the users
mailing list