---------- Forwarded message ---------- From: "Mark Bergsma" <[email protected]> Date: Oct 17, 2014 2:05 PM Subject: [Wikitech-l] SSL 3.0 disabled on Wikimedia sites To: <[email protected]> Cc:
> Hi all, > > Due to the POODLE vulnerability in SSL3.0 that's been announced this > week and has made its round through the media, we decided that we > needed to disable SSL3.0 on all our HTTPS services today, to protect > the security of all our users. The bulk of that change has been > deployed today at 15:00 UTC for the wikis, and the remaining HTTPS > services are getting the same treatment throughout the day. Please see > our blog post on this topic for details: > > http://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/ > > If you see or hear about anyone having issues connecting to our sites > over HTTPS or logging in, please direct them at the link above, and > urge them to upgrade their software. Unfortunately due to the nature > of HTTPS we're not able to provide a fallback when users get an error > message due to this. We're still looking into the possibility to > provide affected users with an informative error message upon login > however, before they get redirected from HTTP to HTTPS. > > As a side note, we've also deployed Google's SCSV SSL extension[1] on > our servers yesterday, such that the attack surface for such > vulnerabilities will be reduced in the future for clients which > support this extension. > > [1] http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html > > Thanks, > > -- > Lead Operations Architect > Director of Technical Operations > Wikimedia Foundation > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________ Wikitech-ambassadors mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-ambassadors
