---------- Forwarded message ----------
From: "Mark Bergsma" <mark@wikimedia.org>
Date: Oct 17, 2014 2:05 PM
Subject: [Wikitech-l] SSL 3.0 disabled on Wikimedia sites
To: <wikitech-l@lists.wikimedia.org>
Cc:

> Hi all,
>
> Due to the POODLE vulnerability in SSL3.0 that's been announced this
> week and has made its round through the media, we decided that we
> needed to disable SSL3.0 on all our HTTPS services today, to protect
> the security of all our users. The bulk of that change has been
> deployed today at 15:00 UTC for the wikis, and the remaining HTTPS
> services are getting the same treatment throughout the day. Please see
> our blog post on this topic for details:
>
>     http://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/
>
> If you see or hear about anyone having issues connecting to our sites
> over HTTPS or logging in, please direct them at the link above, and
> urge them to upgrade their software. Unfortunately due to the nature
> of HTTPS we're not able to provide a fallback when users get an error
> message due to this. We're still looking into the possibility to
> provide affected users with an informative error message upon login
> however, before they get redirected from HTTP to HTTPS.
>
> As a side note, we've also deployed Google's SCSV SSL extension[1] on
> our servers yesterday, such that the attack surface for such
> vulnerabilities will be reduced in the future for clients which
> support this extension.
>
> [1] http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
> Thanks,
>
> --
> Lead Operations Architect
> Director of Technical Operations
> Wikimedia Foundation
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l