Hi all,
Due to the POODLE vulnerability in SSL3.0 that's been announced this
week and has made its round through the media, we decided that we
needed to disable SSL3.0 on all our HTTPS services today, to protect
the security of all our users. The bulk of that change has been
deployed today at 15:00 UTC for the wikis, and the remaining HTTPS
services are getting the same treatment throughout the day. Please see
our blog post on this topic for details:
http://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/
If you see or hear about anyone having issues connecting to our sites
over HTTPS or logging in, please direct them at the link above, and
urge them to upgrade their software. Unfortunately due to the nature
of HTTPS we're not able to provide a fallback when users get an error
message due to this. We're still looking into the possibility to
provide affected users with an informative error message upon login
however, before they get redirected from HTTP to HTTPS.
As a side note, we've also deployed Google's SCSV SSL extension[1] on
our servers yesterday, such that the attack surface for such
vulnerabilities will be reduced in the future for clients which
support this extension.
[1]
http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html
Thanks,
--
Lead Operations Architect
Director of Technical Operations
Wikimedia Foundation
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
