On 4/15/2014 9:30 PM, Potvin, Chet wrote: > Thank you for your response. I believe I understand iText’s position > on this matter. Just to make sure that I understand you correctly, > iText utilizes the OpenSSL library for encrypting and signing PDF > documents on the client-side.
iText utilizes BouncyCastle for encrypting and signing. BouncyCastle has a package named org.bouncycastle.openssl in case you need OpenSSL support, but that is irrelevant. > The Heartbleed vulnerability only relates to servers who are using the > OpenSSL library for decrypting SSL certificates on incoming requests. > Since iText does not encrypt or decrypt HTTPS traffic, the Heartbleed > vulnerability is not an issue within the iText library. Is this an > accurate statement? That summarizes it well. There's a cartoon that visualizes the Heartbleed problem very well: http://xkcd.com/1354/ A web application that uses iText gets a request from a user. iText creates a PDF and the server sends this PDF to the browser. iText's task is limited to creating the bytes of the PDF. iText doesn't add any sensitive data to that PDF. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
