On Apr 10, 2014, at 11:41 PM, Wesley Craig <wescr...@gmail.com> wrote:
> On 10 Apr 2014, at 22:34, Andrew Mortensen <and...@weblogin.org> wrote: >> Some weblogin environments have elected to allow cosign clients (again, I >> mean mod_cosign and friends) to authenticate with certificates issued by >> public CAs. The protected web servers in these deployments are using these >> same certificates for https. Wes is pointing out that if the private key for >> these https servers was stolen via heartbleed, attackers could ALSO >> authenticate to cosignd as the protected service if the weblogin >> administrators permit client authentication using certificates signed by >> public CAs. > > heartbleed allows an unauthenticated attacker to read everything in RAM of > the attacked process. Obviously, that includes the certificate that apache > is using, but it could also include mod_cosign's certificate, the password > you use to connect to mysql, everything. You're quite right. I suppose one bit of good news is that due to our use of CGI for authentication on the weblogin servers, neither the cosign.cgi cert/privkey, nor cosign keytab information, nor the Friend mysql password, nor any external factor secrets would have been exposed. andrew
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
