Feide responded to the Heartbleed OpenSSL vulnerability (CVE-2014-0160) on Tuesday, 8th April 2014, as soon as we knew about it. This weakness in OpenSSL was made public on Monday night, and it affects millions of services on a global basis. Web, email, VPN services, directory services and many others can be vulnerable. There is a high probability that your organization has services affected by this vulnerability.
The Feide login service was found vulnerable as many others. We updated our servers with a secure version of OpenSSL (1.0.1g) on Tuesday morning, making the attack no longer possible. As a precaution, we replaced the TLS certificate (with its corresponding private key) on Thursday morning at 09:41 (Oslo time), as soon as our certificate provider was able to issue a new one. We will continue the process to change the SAML certificate in use by our Identity Provider and issue new SAML metadata, that will need to be updated by all Service Providers in the federation.
Feide encourages all the organizations participating in the federation to follow Difi’s guidance about the massive Heartbleed vulnerability (in norwegian).
We have no indications that usernames and passwords (that are local to the institutions participating in Feide) are compromised and being abused, but as a precautionary measure we encourage you to review the services you have, update those that are vulnerable, and strongly consider changing user passwords.
For updated information from Feide about the Heartbleed vulnerability, see:
If you have any questions, please contact us in firstname.lastname@example.org.