OpenSSL heartbleed bug / Shibboleth implications

Rich Graves rgraves at
Tue Apr 8 16:32:04 EDT 2014


>> I would replace your public-facing SSL keys/certificates if I were you.
> That's of little value until the old certificates get out on a CRL.

Simply changing the key protects against a passive sniffer with the old key.
There's some value there, especially if your threat model includes dragnet

Yes, spoofing and MITM are possible unless revocation, which isn't even
checked by most browsers, is effective.

More information about the users mailing list