Getting a grasp on Heartbleed and IDPs

[Eric Goodman]

> If anyone has any definitive information about this either way it would be
> really helpful.

I definitely don't, but I'd like to add a clarifying question (which is not specific to Shibboleth, so apologies for that). Please note that this is a question and not an assertion.

I've heard that an edge consideration is that any use of a key in an OpenSSL-managed operation puts that key at risk (through the library's shared memory) if any of the TLS endpoints are public facing; even keys that are never used on an external connection. Can anyone confirm if this is the case?

For example, the statement I've heard is that if I run a vulnerable public-facing https web server, then that web server's TLS heartbleed could leak information about keys that are not used by the web server itself, but are actually used by OpenSSL in other applications on the same machine. E.g., a non-public https server's (different) key, or perhaps even keys created or manipulated using OpenSSL on the command line could be leaked through heartbleed attacks against the web server.

Again, even if true this is still more of an edge case, but I thought people here were likely to know whether this is even a valid statement. Googling brings up too many articles and blogs to answer this specific question.

Thanks.

--- Eric