Getting a grasp on Heartbleed and IDPs

Dave Perry Dave.Perry at hull-college.ac.uk
Fri Apr 11 11:30:10 EDT 2014 

Thanks Scott.
The 2 SPs are configured to talk to our IdP - which is under tomcat which is behind Apache with OpenSSL 0.9.8something.
They've never touched any other IdP in their existence.

Dave

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: 11 April 2014 15:48
To: Shib Users
Subject: Re: Getting a grasp on Heartbleed and IDPs

On 4/11/14, 5:03 AM, "Dave Perry" <Dave.Perry at hull-college.ac.uk> wrote:

>Although, I think I read in a post that you don't need to update the SP 
>(well, it's less/not vulnerable) if you only talk to it from your own 
>IdP / one that isn't affected by Heartbleed?

If you know for a fact that every TLS connection made by the SP is to a non-vulnerable server (meaning one that was never running the affected code), then it's probably reasonable to conclude that it's safe once it's patched.

That said, when you control the IdP, rekeying an SP is very easy, so it really depends on the SPs, the number, the relationships, etc.

When you have hundreds, the risk calculation is much more significant, as is what kind of data you're sending out to the SPs at risk. An SPs key is a data disclosure risk, not a remote exploit or authentication risk.

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

More information about the users mailing list