Hey,
I just had Certificate Patrol in Firefox let me know that the SSL cert for Wikimedia.org was changed? Does anyone know anything about that? Are multiple certificates in use?
Old cert: - Builtin Object Token:Equifax Secure CA - *.wikimedia.org SHA1: BA:8A:BE:34:B1:34:3B:AF:06:05:4B:48:A9:27:AA:D9:B4:75:45:6E Issued: 2010-08-03 11:43:56 (1346 days ago) Expires: 2015-08-22 18:23:10 (499 days ahead)
New cert: - GeoTrust Global CA - RapidSSL CA - *.wikimedia.org SHA1: A4:5B:84:1B:A8:00:DC:1B:2E:11:71:E6:31:C6:5D:0E:AF:50:10:95 Issued: 2014-04-06 18:31:08 (4 days ago) Expires: 2015-08-24 19:09:19 (501 days ahead)
I rejected the certificate for the moment, but saved a copy of both if anyone wants to take a look.
Thank you, Derric Atzrott Computer Specialist Alizee Pathology
On Thu, Apr 10, 2014 at 3:25 PM, Derric Atzrott < datzrott@alizeepathology.com> wrote:
I just had Certificate Patrol in Firefox let me know that the SSL cert for Wikimedia.org was changed? Does anyone know anything about that? Are multiple certificates in use?
Probably due to the Heartbleed issue. There's another thread on this mailing list explaining that WMF has reset all user tokens and is reissuing SSL certificates.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
Il 10/04/2014 21:32, Tyler Romeo ha scritto:
On Thu, Apr 10, 2014 at 3:25 PM, Derric Atzrott < datzrott@alizeepathology.com> wrote:
I just had Certificate Patrol in Firefox let me know that the SSL cert for Wikimedia.org was changed? Does anyone know anything about that? Are multiple certificates in use?
Probably due to the Heartbleed issue. There's another thread on this mailing list explaining that WMF has reset all user tokens and is reissuing SSL certificates.
Yep, it would make a few sense to reset tokens and change passwords before certs are reissued.
Vito
the ssl certs were all replaced via Greg:
FYI to this audience as well:
We're reseting all user session tokens today due to heartbleed.
What I didn't state below is that we have already replaced our SSL certs as well as upgraded to the fixed version of openssl.
----- Forwarded message from Greg Grossmeier greg@wikimedia.org -----
Date: Tue, 8 Apr 2014 13:54:26 -0700 From: Greg Grossmeier greg@wikimedia.org To: Wikitech Ambassadors wikitech-ambassadors@lists.wikimedia.org Subject: Security precaution - Resetting all user sessions today
Yesterday a widespread issue in OpenSSL was disclosed that would allow attackers to gain access to privileged information on any site running a vulnerable version of that software. Unfortunately, all Wikimedia Foundation hosted wikis are potentially affected.
We have no evidence of any actual compromise to our systems or our users information, but as a precautionary measure we are resetting all user session tokens. In other words, we will be forcing all logged in users to re-login (ie: we are logging everyone out).
All logged in users send a secret session token with each request to the site and if a nefarious person were able to intercept that token they could impersonate other users. Resetting the tokens for all users will have the benefit of making all users reconnect to our servers using the updated and fixed version of the OpenSSL software, thus removing this potential attack.
As an extra precaution, we recommend all users change their passwords as well.
Again, there has been no evidence that Wikimedia Foundation users were targeted by this attack, but we want all of our users to be as safe as possible.
Thank you for your understanding and patience,
Greg Grossmeier
-- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
----- End forwarded message -----
On Thu, Apr 10, 2014 at 3:34 PM, Vito vituzzu.wiki@gmail.com wrote:
Il 10/04/2014 21:32, Tyler Romeo ha scritto:
On Thu, Apr 10, 2014 at 3:25 PM, Derric Atzrott <
datzrott@alizeepathology.com> wrote:
I just had Certificate Patrol in Firefox let me know that the SSL cert
for Wikimedia.org was changed? Does anyone know anything about that? Are multiple certificates in use?
Probably due to the Heartbleed issue. There's another thread on this
mailing list explaining that WMF has reset all user tokens and is reissuing SSL certificates.
Yep, it would make a few sense to reset tokens and change passwords
before certs are reissued.
Vito
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Il 10/04/2014 21:37, David Chamberlain ha scritto:
the ssl certs were all replaced via Greg:
FYI to this audience as well:
We're reseting all user session tokens today due to heartbleed.
What I didn't state below is that we have already replaced our SSL certs as well as upgraded to the fixed version of openssl.
I still see the old Digicert's one (from Italy).
Vito
On Apr 10, 2014 3:34 PM, "Vito" vituzzu.wiki@gmail.com wrote:
Yep, it would make a few sense to reset tokens and change passwords
before certs are reissued.
No it doesn't!!!
Change keys/certs first. Then do tokens/passwords.
-Jeremy
On Apr 10, 2014 3:27 PM, "Derric Atzrott" datzrott@alizeepathology.com wrote:
I just had Certificate Patrol in Firefox let me know that the SSL cert for Wikimedia.org was changed? Does anyone know anything about that? Are
multiple
certificates in use?
FYI, this has been widely covered in a lot of mainstream press. (but not necessarily well. Some call OpenSSL a protocol)
http://lists.wikimedia.org/pipermail/wikitech-l/2014-April/075801.html
(didn't hear about the xkcd coverage on the internet or by checking the site. I heard about it by accidentally getting on the same subway as a friend that had seen it)
-Jeremy
I just had Certificate Patrol in Firefox let me know that the SSL cert for Wikimedia.org was changed? Does anyone know anything about that? Are
multiple
certificates in use?
FYI, this has been widely covered in a lot of mainstream press. (but not necessarily well. Some call OpenSSL a protocol)
http://lists.wikimedia.org/pipermail/wikitech-l/2014-April/075801.html
Ah. I'm still reading emails from Monday on the list. So I must have just missed out on the SSL cert change. I did hear about the Heartbleed issue (actually had a few users here at the office come to me very concerned about what they heard on the news).
Glad to hear that the certs were reissued to take care of that.
Thank you, Derric Atzrott
On Thu, Apr 10, 2014 at 12:48 PM, Derric Atzrott datzrott@alizeepathology.com wrote:
I just had Certificate Patrol in Firefox let me know that the SSL cert for Wikimedia.org was changed? Does anyone know anything about that? Are
multiple
certificates in use?
FYI, this has been widely covered in a lot of mainstream press. (but not necessarily well. Some call OpenSSL a protocol)
http://lists.wikimedia.org/pipermail/wikitech-l/2014-April/075801.html
Ah. I'm still reading emails from Monday on the list. So I must have just missed out on the SSL cert change. I did hear about the Heartbleed issue (actually had a few users here at the office come to me very concerned about what they heard on the news).
Glad to hear that the certs were reissued to take care of that.
There is now a blog post with a timeline overview of the actions taken: https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-...
wikitech-l@lists.wikimedia.org