OpenSSL heartbleed bug / Shibboleth implications

Nickles, Brent bnick001 at umaryland.edu
Tue Apr 8 11:23:08 EDT 2014 

I'm trying to wrap my head around all of this, I've seen some tools http://possible.lv/tools/hb/ to check the server itself, but this is limited to http and after patching, it  does show the server is secure.   
The tool is, however, limited to testing against HTTPS (web) servers. So, even though your Web server might be OK, I'm assuming that anything that linked against OpenSSL might need to be addressed???  My concern/question is should we reinstall shib and/or metadata on SP and the IdP side to be safe?

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Leif Johansson
Sent: Tuesday, April 08, 2014 10:00 AM
To: users at shibboleth.net
Subject: Re: OpenSSL heartbleed bug / Shibboleth implications

On 2014-04-08 15:54, Cantor, Scott wrote:
> On 4/8/14, 5:06 AM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>>
>> Does that really affect the SP's private key? I would have expected 
>> the priveledge seperation via shibd to prevent such problems?
>> https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPArchitec
>> ture
> 
> Ian's correct, my understanding is that connecting as a client also 
> exposes that client's key to a hostile server. The mitigation with the 
> SP is that it doesn't generally connect to anything but IdPs and 
> metadata locations, unless I'm overlooking something.
> 

It looks like "it depends".

Running the common sslscan.py against stuff actually gets you sessions on most HTTPS servers I've tried but nothing that looks like private key material. That may just be cause I'm bad at mounting attacks though.

The prevalent guess over here is that most of the attacks right now are being mounted against things that might have bitcoins in memory and so we have a couple of days until those opportunities have closed :-)

> I don't expect *massive* fallout on the IdP side because 1.0.1 was 
> relatively rare until very recently with the push to get TLS 1.1 and 
> 1.2 deployed. But I really don't know the volume there, so I felt I 
> needed to highlight this.
> 
> -- Scott
> 
> 
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> 


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list