OpenSSL heartbleed bug / Shibboleth implications
Rich Graves
rgraves at carleton.edu
Tue Apr 8 16:32:04 EDT 2014
(off-topic)
>> I would replace your public-facing SSL keys/certificates if I were you.
>
> That's of little value until the old certificates get out on a CRL.
Simply changing the key protects against a passive sniffer with the old key.
There's some value there, especially if your threat model includes dragnet
surveillance.
Yes, spoofing and MITM are possible unless revocation, which isn't even
checked by most browsers, is effective.
More information about the users
mailing list