OpenSSL heartbleed bug / Shibboleth implications
Ian Young
ian at iay.org.uk
Tue Apr 8 10:13:53 EDT 2014
On 8 Apr 2014, at 15:00, Leif Johansson <leifj at sunet.se> wrote:
> Running the common sslscan.py against stuff actually gets you sessions
> on most HTTPS servers I've tried but nothing that looks like private key
> material.
What you get back will depend on so many things that I don't think you can draw comfort from that result. You really have to assume that ANY part of the server's state MAY leak, depending on CPU architecture, OS, compiler, ASLR, connection history, POTM, etc., and therefore in a security sense that over time ALL of it HAS leaked unless you can prove otherwise.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140408/30352500/attachment.bin
More information about the users
mailing list