On 10 Apr 2014, at 22:34, Andrew Mortensen <and...@weblogin.org> wrote: > Some weblogin environments have elected to allow cosign clients (again, I > mean mod_cosign and friends) to authenticate with certificates issued by > public CAs. The protected web servers in these deployments are using these > same certificates for https. Wes is pointing out that if the private key for > these https servers was stolen via heartbleed, attackers could ALSO > authenticate to cosignd as the protected service if the weblogin > administrators permit client authentication using certificates signed by > public CAs.
heartbleed allows an unauthenticated attacker to read everything in RAM of the attacked process. Obviously, that includes the certificate that apache is using, but it could also include mod_cosign's certificate, the password you use to connect to mysql, everything. :wes ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
