Getting a grasp on Heartbleed and IDPs
Michael Schwartz
mike at gluu.org
Thu Apr 10 13:09:28 EDT 2014
Keith,
This blog provides a good analysis to understand the impact of
Heartbleed: http://www.gluu.co/cacert-heartbleed
The private SAML IDP key in the JVM's memory (i.e. tomcat) would not be
exposed to the Apache httpd process.
However, if the web server's private key is compromised, then you have
HTTP, not HTTPS!
Password credentials could have leaked. After patching and re-keying the
server, people should be advised to reset their password credentials.
I think this is the biggest impact.
It highlights the cost of our societal over-reliance on
passwords--basically the cost of doing nothing. Passwords stolen from
one site are used elsewhere. So even if your web server wasn't
compromised, a person maybe has the same password in a server that was.
So the integrity of password authentication has managed to slip to a new
all-time low.
- Mike
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
http://gluu.org/blog
More information about the users
mailing list