search

vivekrajenderan / simplesamlphp

Automatically exported from code.google.com/p/simplesamlphp
Other
0 stars 0 forks source link

package should not include a default credential #596

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The cert directory includes a default private key and corresponding X.509 
certificate. Although the documentation warns deployers that they should not 
use this in production, it is inevitable that some deployers will do so through 
inattention, language issues or lack of appropriate domain knowledge. The 
result of such a deployment would be a "pre-compromised" entity, whose private 
key is known and which can be impersonated by others.

The simpleSAMLphp should not include a default credential. It is better for a 
deployment to fail to work rather than appear to work, but be insecure.

Original issue reported on code.google.com by i...@iay.org.uk on 24 Nov 2013 at 4:54

GoogleCodeExporter commented 9 years ago 
This is now fixed in r3306.

Thanks again for reporting Ian.

Original comment by jaim...@gmail.com on 27 Nov 2013 at 12:50