Re: [iText-questions] Heartbleed Patch
On 4/15/2014 9:30 PM, Potvin, Chet wrote: Thank you for your response. I believe I understand iText’s position on this matter. Just to make sure that I understand you correctly, iText utilizes the OpenSSL library for encrypting and signing PDF documents on the client-side. iText utilizes BouncyCastle for encrypting and signing. BouncyCastle has a package named org.bouncycastle.openssl in case you need OpenSSL support, but that is irrelevant. The Heartbleed vulnerability only relates to servers who are using the OpenSSL library for decrypting SSL certificates on incoming requests. Since iText does not encrypt or decrypt HTTPS traffic, the Heartbleed vulnerability is not an issue within the iText library. Is this an accurate statement? That summarizes it well. There's a cartoon that visualizes the Heartbleed problem very well: http://xkcd.com/1354/ A web application that uses iText gets a request from a user. iText creates a PDF and the server sends this PDF to the browser. iText's task is limited to creating the bytes of the PDF. iText doesn't add any sensitive data to that PDF. -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] Heartbleed Patch
Mr. Lowagie, Thank you for your response. I believe I understand iText's position on this matter. Just to make sure that I understand you correctly, iText utilizes the OpenSSL library for encrypting and signing PDF documents on the client-side. The Heartbleed vulnerability only relates to servers who are using the OpenSSL library for decrypting SSL certificates on incoming requests. Since iText does not encrypt or decrypt HTTPS traffic, the Heartbleed vulnerability is not an issue within the iText library. Is this an accurate statement? Chet Potvin | Sr. Software Engineer | Care Coordination and Analytics Allscripts | 222 Merchandise Mart | Suite 2024 | Chicago, IL | 60654 773.632.1552 | P 888.446.2022 | F chet.pot...@allscripts.commailto:chet.pot...@allscripts.com | www.allscripts.comhttp://www.allscripts.com/ -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] Heartbleed Patch
On 4/9/2014 2:08 PM, iText mailing list wrote: Public/private keys are also used in the context of SSL, but I fail to see why iText would be affected by an OpenSSL problem. Maybe you can explain, but I can't. In other words: the question should not be about iText. The question should be: how were the certificates (public/private keys) you used to encrypt/sign a PDF created? Were these certificates/keys compromised? That's a question that needs to be answered by the provider of the certificates, not by iText. -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] Heartbleed Patch
iText has OpenSSL capabilities. I'm not sure how OpenSSL is used in iText, but I need to know if the library a target for the Heartbleed vulnerability? If so, what remediation steps can be taken to eliminate this threat? https://www.schneier.com/blog/archives/2014/04/heartbleed.html Chet Potvin | Sr. Software Engineer | Care Coordination and Analytics Allscripts | 222 Merchandise Mart | Suite 2024 | Chicago, IL | 60654 773.632.1552 | P 888.446.2022 | F chet.pot...@allscripts.commailto:chet.pot...@allscripts.com | www.allscripts.comhttp://www.allscripts.com/ -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] Heartbleed Patch
On 4/9/2014 12:55 PM, Potvin, Chet wrote: iText has OpenSSL capabilities. Why would a PDF generation library need OpenSSL functionality? Sure, we use encryption for: - encrypting PDFs, - either using passwords (owner password and optionally a user password), - or using a certificate - signing PDFS, this involves using a certificate Where it says certificate, PKI is involved. Public/private keys are also used in the context of SSL, but I fail to see why iText would be affected by an OpenSSL problem. Maybe you can explain, but I can't. -- Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php