OpenSSL heartbleed bug / Shibboleth implications

Rich Graves rgraves at
Tue Apr 8 13:24:39 EDT 2014

> Not strictly true. It's not attackable through the web server, but
> when the Shibboleth daemon makes an outbound call to an IdP's SOAP
> endpoint (for artifact resolution or attribute query) then it's
> attackable back through that connection (either party can send

Agreed. If you're worried that someone with advance knowledge of
this vulnerability could have pulled off the above attack, then
you should change your keys. It's a risk assessment.

Configuring your application/metadata to require SAML2 could have
mitigated this threat, while also avoiding the operational errors
commonly with attribute query... though shibd could still have been
attacked while fetching federation metadata, for example. Who's your

I would not see a need to change federation keys QUICKLY, since only
a rather advanced attacker would have grabbed them, and it's
unlikely that such an attacker started yesterday. I feel more
urgency to address web server SSL keys and possible cookie/password
exposures because the number of attackers who could have started
going after those is far larger.

More information about the users mailing list