the ssl certs were all replaced via Greg: FYI to this audience as well:
We're reseting all user session tokens today due to heartbleed. What I didn't state below is that we have already replaced our SSL certs as well as upgraded to the fixed version of openssl. ----- Forwarded message from Greg Grossmeier <[email protected]> ----- > Date: Tue, 8 Apr 2014 13:54:26 -0700 > From: Greg Grossmeier <[email protected]> > To: Wikitech Ambassadors <[email protected]> > Subject: Security precaution - Resetting all user sessions today > > Yesterday a widespread issue in OpenSSL was disclosed that would allow > attackers to gain access to privileged information on any site running a > vulnerable version of that software. Unfortunately, all Wikimedia > Foundation hosted wikis are potentially affected. > > We have no evidence of any actual compromise to our systems or our users > information, but as a precautionary measure we are resetting all user > session tokens. In other words, we will be forcing all logged in users > to re-login (ie: we are logging everyone out). > > All logged in users send a secret session token with each request to the > site and if a nefarious person were able to intercept that token they > could impersonate other users. Resetting the tokens for all users will > have the benefit of making all users reconnect to our servers using the > updated and fixed version of the OpenSSL software, thus removing this > potential attack. > > As an extra precaution, we recommend all users change their passwords as > well. > > > Again, there has been no evidence that Wikimedia Foundation users were > targeted by this attack, but we want all of our users to be as safe as > possible. > > > Thank you for your understanding and patience, > > Greg Grossmeier > > > -- > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D | ----- End forwarded message ----- On Thu, Apr 10, 2014 at 3:34 PM, Vito <[email protected]> wrote: > Il 10/04/2014 21:32, Tyler Romeo ha scritto: > > On Thu, Apr 10, 2014 at 3:25 PM, Derric Atzrott < >> [email protected]> wrote: >> >> I just had Certificate Patrol in Firefox let me know that the SSL cert >>> for >>> Wikimedia.org was changed? Does anyone know anything about that? Are >>> multiple >>> certificates in use? >>> >>> Probably due to the Heartbleed issue. There's another thread on this >> mailing list explaining that WMF has reset all user tokens and is >> reissuing >> SSL certificates. >> >> Yep, it would make a few sense to reset tokens and change passwords > before certs are reissued. > > Vito > > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > -- David Chamberlain http://alaskawiki.org/ <http://alaskawiki.org/index.php?title=Alaska> http://about.me/david.chamberlain Mission: To be the largest and most accurate source of information about Alaska. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
