The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

The Heartbleed Bug

A major new threat is sweeping the Internet. The Heartbleed Bug, announced publicly on April 7, 2014, is a serious vulnerability that affects certain versions of OpenSSL in circulation since 2012.

If you are running SAML software on an affected system, first patch the system and then consider the ramifications of Heartbleed on your SAML deployment. I can't tell you how to patch your system; at this time all I can do is point you to the official Heartbleed web page.

Advice to Identity Provider Operators

Once your system is patched, follow these steps:

  1. Read the X.509 Certificates in Metadata wiki page
    1. use a long-lived, self-signed certificate
  2. Read the IdP Key Handling wiki page
    1. Handle the private IdP signing key securely!
  3. Read the Certificate Migration wiki page and its child pages
    1. migrate, don’t replace (unless there is evidence that the signing key has been compromised)

There is a lot of key-related documentation material on the above wiki pages. If you have questions and you are an InCommon Site Administrator, please contact us at admin@incommon.org; otherwise post your questions on the participants@incommon.org mailing list.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels