Getting a grasp on Heartbleed and IDPs

Michael Schwartz mike at
Thu Apr 10 13:09:28 EDT 2014


This blog provides a good analysis to understand the impact of 

The private SAML IDP key in the JVM's memory (i.e. tomcat) would not be 
exposed to the Apache httpd process.

However, if the web server's private key is compromised, then you have 

Password credentials could have leaked. After patching and re-keying the 
server, people should be advised to reset their password credentials.

I think this is the biggest impact.

It highlights the cost of our societal over-reliance on 
passwords--basically the cost of doing nothing. Passwords stolen from 
one site are used elsewhere. So even if your web server wasn't 
compromised, a person maybe has the same password in a server that was. 
So the integrity of password authentication has managed to slip to a new 
all-time low.

- Mike

Michael Schwartz
Founder / CEO

More information about the users mailing list