This wiki page is a work in progress and will be updated as new information is received and processed.
The Heartbleed Bug
A major new threat is sweeping the Internet. The Heartbleed Bug, announced publicly on April 7, 2014, is a serious vulnerability that affects certain versions of OpenSSL in circulation since 2012.
If you are running SAML software on an affected system, first patch the system and then consider the ramifications of The Heartbleed Bug on your SAML deployment. We can't tell you how to patch your system…at this time all we can do is point you to the official Heartbleed web page linked above.
Implementation-specific Information
Shibboleth: Shibboleth Security Advisory (9 April 2014)
SimpleSAMLphp: https://groups.google.com/forum/#!topic/simplesamlphp/XphXXmVhMVI
Advice to InCommon IdP Operators
Once your system is patched, follow these steps to migrate a new certificate into metadata:
- Read the X.509 Certificates in Metadata wiki page
- use a long-lived, self-signed certificate
- Read the IdP Key Handling wiki page
- Handle the private IdP signing key securely!
- Read the Certificate Migration wiki page and its child pages
- Unless there is evidence that your IdP signing key has been compromised, migrate a new certificate into metadata, do not simply replace the old certificate (which will adversely affect interoperability).
- Assuming your SP partners follow InCommon recommendations with respect to Metadata Consumption, wait at least 24 hours for newly updated metadata to propagate throughout the Federation.
Advice to InCommon SP Owners
TBD
Resources
- The Heartbleed Bug
- http://sseguranca.blogspot.com/2014/04/heartbleed-ssl-bug.html
- admin@incommon.org (for InCommon Site Administrators)
- participants@incommon.org (any InCommon participant)