Getting a grasp on Heartbleed and IDPs

Cantor, Scott cantor.2 at
Fri Apr 11 10:47:37 EDT 2014

On 4/11/14, 5:03 AM, "Dave Perry" <Dave.Perry at> wrote:

>Although, I think I read in a post that you don't need to update the SP
>(well, it's less/not vulnerable) if you only talk to it from your own IdP
>/ one that isn't affected by Heartbleed?

If you know for a fact that every TLS connection made by the SP is to a
non-vulnerable server (meaning one that was never running the affected
code), then it's probably reasonable to conclude that it's safe once it's

That said, when you control the IdP, rekeying an SP is very easy, so it
really depends on the SPs, the number, the relationships, etc.

When you have hundreds, the risk calculation is much more significant, as
is what kind of data you're sending out to the SPs at risk. An SPs key is
a data disclosure risk, not a remote exploit or authentication risk.

-- Scott

More information about the users mailing list