Getting a grasp on Heartbleed and IDPs
Cantor, Scott
cantor.2 at osu.edu
Fri Apr 11 10:47:37 EDT 2014
On 4/11/14, 5:03 AM, "Dave Perry" <Dave.Perry at hull-college.ac.uk> wrote:
>Although, I think I read in a post that you don't need to update the SP
>(well, it's less/not vulnerable) if you only talk to it from your own IdP
>/ one that isn't affected by Heartbleed?
If you know for a fact that every TLS connection made by the SP is to a
non-vulnerable server (meaning one that was never running the affected
code), then it's probably reasonable to conclude that it's safe once it's
patched.
That said, when you control the IdP, rekeying an SP is very easy, so it
really depends on the SPs, the number, the relationships, etc.
When you have hundreds, the risk calculation is much more significant, as
is what kind of data you're sending out to the SPs at risk. An SPs key is
a data disclosure risk, not a remote exploit or authentication risk.
-- Scott
More information about the users
mailing list