Re: [Wikitech-l] Fwd: Security precaution - Resetting all user sessions today
Due to the speed of the script, it will take a while for everyone to be logged out. If you hit this issue, logging out and logging in again seems to fix the problem. I'm still trying to track down why this is happening. On Tue, Apr 8, 2014 at 4:43 PM, Greg Grossmeier wrote: > Chris S is actively looking into this. Thanks for the note. > > -- > Sent from my phone, please excuse brevity. > On Apr 8, 2014 4:18 PM, "Risker" wrote: > > > Thanks for the heads-up, Greg. However, I'm finding that I am being > > repeatedly logged out...it's happened every other edit I've made tonight, > > which is a real pain. Will report on IRC as well. > > > > Risker/Anne > > > > > > On 8 April 2014 16:57, Greg Grossmeier wrote: > > > > > FYI to this audience as well: > > > > > > We're reseting all user session tokens today due to heartbleed. > > > > > > What I didn't state below is that we have already replaced our SSL > certs > > > as well as upgraded to the fixed version of openssl. > > > > > > - Forwarded message from Greg Grossmeier > - > > > > > > > Date: Tue, 8 Apr 2014 13:54:26 -0700 > > > > From: Greg Grossmeier > > > > To: Wikitech Ambassadors > > > > Subject: Security precaution - Resetting all user sessions today > > > > > > > > Yesterday a widespread issue in OpenSSL was disclosed that would > allow > > > > attackers to gain access to privileged information on any site > running > > a > > > > vulnerable version of that software. Unfortunately, all Wikimedia > > > > Foundation hosted wikis are potentially affected. > > > > > > > > We have no evidence of any actual compromise to our systems or our > > users > > > > information, but as a precautionary measure we are resetting all user > > > > session tokens. In other words, we will be forcing all logged in > users > > > > to re-login (ie: we are logging everyone out). > > > > > > > > All logged in users send a secret session token with each request to > > the > > > > site and if a nefarious person were able to intercept that token they > > > > could impersonate other users. Resetting the tokens for all users > will > > > > have the benefit of making all users reconnect to our servers using > the > > > > updated and fixed version of the OpenSSL software, thus removing this > > > > potential attack. > > > > > > > > As an extra precaution, we recommend all users change their passwords > > as > > > > well. > > > > > > > > > > > > Again, there has been no evidence that Wikimedia Foundation users > were > > > > targeted by this attack, but we want all of our users to be as safe > as > > > > possible. > > > > > > > > > > > > Thank you for your understanding and patience, > > > > > > > > Greg Grossmeier > > > > > > > > > > > > -- > > > > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > > > > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > > > > > > > > > > > - End forwarded message - > > > > > > -- > > > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > > > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > > > > > ___ > > > Wikitech-l mailing list > > > Wikitech-l@lists.wikimedia.org > > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > > ___ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Fwd: Security precaution - Resetting all user sessions today
Chris S is actively looking into this. Thanks for the note. -- Sent from my phone, please excuse brevity. On Apr 8, 2014 4:18 PM, "Risker" wrote: > Thanks for the heads-up, Greg. However, I'm finding that I am being > repeatedly logged out...it's happened every other edit I've made tonight, > which is a real pain. Will report on IRC as well. > > Risker/Anne > > > On 8 April 2014 16:57, Greg Grossmeier wrote: > > > FYI to this audience as well: > > > > We're reseting all user session tokens today due to heartbleed. > > > > What I didn't state below is that we have already replaced our SSL certs > > as well as upgraded to the fixed version of openssl. > > > > - Forwarded message from Greg Grossmeier - > > > > > Date: Tue, 8 Apr 2014 13:54:26 -0700 > > > From: Greg Grossmeier > > > To: Wikitech Ambassadors > > > Subject: Security precaution - Resetting all user sessions today > > > > > > Yesterday a widespread issue in OpenSSL was disclosed that would allow > > > attackers to gain access to privileged information on any site running > a > > > vulnerable version of that software. Unfortunately, all Wikimedia > > > Foundation hosted wikis are potentially affected. > > > > > > We have no evidence of any actual compromise to our systems or our > users > > > information, but as a precautionary measure we are resetting all user > > > session tokens. In other words, we will be forcing all logged in users > > > to re-login (ie: we are logging everyone out). > > > > > > All logged in users send a secret session token with each request to > the > > > site and if a nefarious person were able to intercept that token they > > > could impersonate other users. Resetting the tokens for all users will > > > have the benefit of making all users reconnect to our servers using the > > > updated and fixed version of the OpenSSL software, thus removing this > > > potential attack. > > > > > > As an extra precaution, we recommend all users change their passwords > as > > > well. > > > > > > > > > Again, there has been no evidence that Wikimedia Foundation users were > > > targeted by this attack, but we want all of our users to be as safe as > > > possible. > > > > > > > > > Thank you for your understanding and patience, > > > > > > Greg Grossmeier > > > > > > > > > -- > > > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > > > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > > > > > > > - End forwarded message - > > > > -- > > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > > > ___ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Fwd: Security precaution - Resetting all user sessions today
Thanks for the heads-up, Greg. However, I'm finding that I am being repeatedly logged out...it's happened every other edit I've made tonight, which is a real pain. Will report on IRC as well. Risker/Anne On 8 April 2014 16:57, Greg Grossmeier wrote: > FYI to this audience as well: > > We're reseting all user session tokens today due to heartbleed. > > What I didn't state below is that we have already replaced our SSL certs > as well as upgraded to the fixed version of openssl. > > - Forwarded message from Greg Grossmeier - > > > Date: Tue, 8 Apr 2014 13:54:26 -0700 > > From: Greg Grossmeier > > To: Wikitech Ambassadors > > Subject: Security precaution - Resetting all user sessions today > > > > Yesterday a widespread issue in OpenSSL was disclosed that would allow > > attackers to gain access to privileged information on any site running a > > vulnerable version of that software. Unfortunately, all Wikimedia > > Foundation hosted wikis are potentially affected. > > > > We have no evidence of any actual compromise to our systems or our users > > information, but as a precautionary measure we are resetting all user > > session tokens. In other words, we will be forcing all logged in users > > to re-login (ie: we are logging everyone out). > > > > All logged in users send a secret session token with each request to the > > site and if a nefarious person were able to intercept that token they > > could impersonate other users. Resetting the tokens for all users will > > have the benefit of making all users reconnect to our servers using the > > updated and fixed version of the OpenSSL software, thus removing this > > potential attack. > > > > As an extra precaution, we recommend all users change their passwords as > > well. > > > > > > Again, there has been no evidence that Wikimedia Foundation users were > > targeted by this attack, but we want all of our users to be as safe as > > possible. > > > > > > Thank you for your understanding and patience, > > > > Greg Grossmeier > > > > > > -- > > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > > > - End forwarded message - > > -- > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Fwd: Security precaution - Resetting all user sessions today
Googling, I found http://heartbleed.com/ and https://www.openssl.org/news/secadv_20140407.txt gave more technical description of the issue in question, which I found interesting. Thought I'd pass the links along in case they are useful to anyone else. Anyhow, some scary stuff there. --bawolff On 4/8/14, Greg Grossmeier wrote: > FYI to this audience as well: > > We're reseting all user session tokens today due to heartbleed. > > What I didn't state below is that we have already replaced our SSL certs > as well as upgraded to the fixed version of openssl. > > - Forwarded message from Greg Grossmeier - > >> Date: Tue, 8 Apr 2014 13:54:26 -0700 >> From: Greg Grossmeier >> To: Wikitech Ambassadors >> Subject: Security precaution - Resetting all user sessions today >> >> Yesterday a widespread issue in OpenSSL was disclosed that would allow >> attackers to gain access to privileged information on any site running a >> vulnerable version of that software. Unfortunately, all Wikimedia >> Foundation hosted wikis are potentially affected. >> >> We have no evidence of any actual compromise to our systems or our users >> information, but as a precautionary measure we are resetting all user >> session tokens. In other words, we will be forcing all logged in users >> to re-login (ie: we are logging everyone out). >> >> All logged in users send a secret session token with each request to the >> site and if a nefarious person were able to intercept that token they >> could impersonate other users. Resetting the tokens for all users will >> have the benefit of making all users reconnect to our servers using the >> updated and fixed version of the OpenSSL software, thus removing this >> potential attack. >> >> As an extra precaution, we recommend all users change their passwords as >> well. >> >> >> Again, there has been no evidence that Wikimedia Foundation users were >> targeted by this attack, but we want all of our users to be as safe as >> possible. >> >> >> Thank you for your understanding and patience, >> >> Greg Grossmeier >> >> >> -- >> | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | >> | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > > > > - End forwarded message - > > -- > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | > ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Fwd: Security precaution - Resetting all user sessions today
FYI to this audience as well: We're reseting all user session tokens today due to heartbleed. What I didn't state below is that we have already replaced our SSL certs as well as upgraded to the fixed version of openssl. - Forwarded message from Greg Grossmeier - > Date: Tue, 8 Apr 2014 13:54:26 -0700 > From: Greg Grossmeier > To: Wikitech Ambassadors > Subject: Security precaution - Resetting all user sessions today > > Yesterday a widespread issue in OpenSSL was disclosed that would allow > attackers to gain access to privileged information on any site running a > vulnerable version of that software. Unfortunately, all Wikimedia > Foundation hosted wikis are potentially affected. > > We have no evidence of any actual compromise to our systems or our users > information, but as a precautionary measure we are resetting all user > session tokens. In other words, we will be forcing all logged in users > to re-login (ie: we are logging everyone out). > > All logged in users send a secret session token with each request to the > site and if a nefarious person were able to intercept that token they > could impersonate other users. Resetting the tokens for all users will > have the benefit of making all users reconnect to our servers using the > updated and fixed version of the OpenSSL software, thus removing this > potential attack. > > As an extra precaution, we recommend all users change their passwords as > well. > > > Again, there has been no evidence that Wikimedia Foundation users were > targeted by this attack, but we want all of our users to be as safe as > possible. > > > Thank you for your understanding and patience, > > Greg Grossmeier > > > -- > | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | > | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | - End forwarded message - -- | Greg GrossmeierGPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @gregA18D 1138 8E47 FAC8 1C7D | signature.asc Description: Digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
