Gluu Blog

Follow us:
Back to Blog

Impact of Heartbleed for Gluu Customers

Mike S. April 10, 2014

This blog provides a good analysis to understand the impact of Heartbleed: http://www.gluu.co/cacert-heartbleed

If you are running a Shibboleth IDP front ended by an Apache HTTPD server, the private SAML IDP key in the JVM’s memory (i.e. tomcat) would not be exposed to the Apache httpd process.

However, if the web server’s private key is compromised, then you have HTTP, not HTTPS!

Password credentials could have leaked. After patching and re-keying the server, people should be advised to reset their password credentials.

I think this is the biggest impact.

It highlights the cost of our societal over-reliance on passwords–basically the cost of doing nothing. Passwords stolen from one site are used elsewhere. So even if your web server wasn’t compromised, a person maybe has the same password in a server that was. So the integrity of password authentication has managed to slip to a new all-time low.

 

Be sure to subscibe to
our RSS Feed

Mike Schwartz

Mike has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now "Identiverse") and many other security conferences around the world.