Or in this case, the bleeding hearts?
It would be very difficult today to miss out on the news of the heartbleed OpenSSL vulnerability. Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library.This is specific to the v1.0.1 series of OpenSSL, earlier versions are not affected.
The best advice we can offer to institutions concerned about this vulnerability is to liaise closely with your local NRENS – many of whom are already putting out advice and offering support and solutions. See for example the advice from JANET to the UK community on the vulnerability and how the JANET Certificate Service (part of the TERENA Certificate service) can be used to renew certificates where needed.
If you don’t know how to get in contact with your local CSIRT, the TERENA Trusted Introducer database may be helpful.
At the moment the various communities that might impacted by this vulnerability are investigating the best approach for a solution, and this impacts various different systems across the education sector. Here is a summary of where you can follow the conversation.
- Discussions and advice on the impact on SAML based solutions are happening on the REFEDS list, where you will find most of the developers of SAML software such as Shibboleth and SimpleSAMLphp.
- The Shibboleth developers have published information about the impact on Shibboleth products.
- The UK federation have an advisory for their community.
- Many institutions will be considering the need to replace certificates and TCS is a good place to start. If you have any questions about obtaining certificates through TCS or broader issues with certificates (e.g. questions about SHA2) please use the TCS mailing list or contact Nicole.
- The eduroam operational team are busy carrying out a full review and have posted advice on where OpenSSL affects eduroam / RADIUS over on the TF-Mobility list.
If you have any questions at all about how these issues are affecting the TERENA community, please get in touch with us.
In the meantime I will leave you with a great piece of advice today from Ian Young regarding the fact that this is only impacting more recent implementations of OpenSSL: “Except for all the other things they are vulnerable to. Let’s please *not* spread the meme that the best way to stay secure is to avoid upgrades.”