FYI to this audience as well:
We're reseting all user session tokens today due to heartbleed.
What I didn't state below is that we have already replaced our SSL certs
as well as upgraded to the fixed version of openssl.
----- Forwarded message from Greg Grossmeier <greg(a)wikimedia.org> -----
Date: Tue, 8 Apr 2014 13:54:26 -0700
From: Greg Grossmeier <greg(a)wikimedia.org>
To: Wikitech Ambassadors <wikitech-ambassadors(a)lists.wikimedia.org>
Subject: Security precaution - Resetting all user sessions today
Yesterday a widespread issue in OpenSSL was disclosed that would allow
attackers to gain access to privileged information on any site running a
vulnerable version of that software. Unfortunately, all Wikimedia
Foundation hosted wikis are potentially affected.
We have no evidence of any actual compromise to our systems or our users
information, but as a precautionary measure we are resetting all user
session tokens. In other words, we will be forcing all logged in users
to re-login (ie: we are logging everyone out).
All logged in users send a secret session token with each request to the
site and if a nefarious person were able to intercept that token they
could impersonate other users. Resetting the tokens for all users will
have the benefit of making all users reconnect to our servers using the
updated and fixed version of the OpenSSL software, thus removing this
potential attack.
As an extra precaution, we recommend all users change their passwords as
well.
Again, there has been no evidence that Wikimedia Foundation users were
targeted by this attack, but we want all of our users to be as safe as
possible.
Thank you for your understanding and patience,
Greg Grossmeier
--
| Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
----- End forwarded message -----
--
| Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |