OpenSSL heartbleed bug / Shibboleth implications
Rich Graves
rgraves at carleton.edu
Tue Apr 8 12:54:37 EDT 2014
If you are using the native SP, which has process/privilege separation from the web server, I would not worry about replacing the SP keys. The vulnerability should only have exposed memory accessible to the httpd process. If you were using something like simpleSAMLphp then there could possibly be some concern.
I would replace your public-facing SSL keys/certificates if I were you. That's relatively easy. Consider invalidating any especially long-lived cookies. Maybe change internal admin passwords too, if they could have touched httpd processes also reachable by the public. Attack a server that's still vulnerable and see what you can see.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140408/a07efa96/attachment.html
More information about the users
mailing list