OpenSSL heartbleed bug / Shibboleth implications
Ian Young
ian at iay.org.uk
Tue Apr 8 12:59:49 EDT 2014
On 8 Apr 2014, at 17:54, Rich Graves <rgraves at carleton.edu> wrote:
> If you are using the native SP, which has process/privilege separation from the web server, I would not worry about replacing the SP keys. The vulnerability should only have exposed memory accessible to the httpd process. If you were using something like simpleSAMLphp then there could possibly be some concern.
Not strictly true. It's not attackable through the web server, but when the Shibboleth daemon makes an outbound call to an IdP's SOAP endpoint (for artifact resolution or attribute query) then it's attackable back through that connection (either party can send the heartbeat packet).
-- Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140408/1907b7e3/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140408/1907b7e3/attachment-0001.bin
More information about the users
mailing list