Hi all,
Due to the POODLE vulnerability in SSL3.0 that's been announced this week and has made its round through the media, we decided that we needed to disable SSL3.0 on all our HTTPS services today, to protect the security of all our users. The bulk of that change has been deployed today at 15:00 UTC for the wikis, and the remaining HTTPS services are getting the same treatment throughout the day. Please see our blog post on this topic for details:
http://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-remo...
If you see or hear about anyone having issues connecting to our sites over HTTPS or logging in, please direct them at the link above, and urge them to upgrade their software. Unfortunately due to the nature of HTTPS we're not able to provide a fallback when users get an error message due to this. We're still looking into the possibility to provide affected users with an informative error message upon login however, before they get redirected from HTTP to HTTPS.
As a side note, we've also deployed Google's SCSV SSL extension[1] on our servers yesterday, such that the attack surface for such vulnerabilities will be reduced in the future for clients which support this extension.
[1] http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting...
Thanks,
On 17 October 2014 19:04, Mark Bergsma mark@wikimedia.org wrote:
If you see or hear about anyone having issues connecting to our sites over HTTPS or logging in, please direct them at the link above, and urge them to upgrade their software. Unfortunately due to the nature of HTTPS we're not able to provide a fallback when users get an error message due to this. We're still looking into the possibility to provide affected users with an informative error message upon login however, before they get redirected from HTTP to HTTPS.
I believe that's it for IE6, for one. (I think the user can enable TLS, but anyone stuck on IE6 is likely so locked down they can't do that.)
- d.
wikitech-l@lists.wikimedia.org