Mailing List Archive

SSL 3.0 disabled on Wikimedia sites
Hi all,

Due to the POODLE vulnerability in SSL3.0 that's been announced this
week and has made its round through the media, we decided that we
needed to disable SSL3.0 on all our HTTPS services today, to protect
the security of all our users. The bulk of that change has been
deployed today at 15:00 UTC for the wikis, and the remaining HTTPS
services are getting the same treatment throughout the day. Please see
our blog post on this topic for details:

http://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/

If you see or hear about anyone having issues connecting to our sites
over HTTPS or logging in, please direct them at the link above, and
urge them to upgrade their software. Unfortunately due to the nature
of HTTPS we're not able to provide a fallback when users get an error
message due to this. We're still looking into the possibility to
provide affected users with an informative error message upon login
however, before they get redirected from HTTP to HTTPS.

As a side note, we've also deployed Google's SCSV SSL extension[1] on
our servers yesterday, such that the attack surface for such
vulnerabilities will be reduced in the future for clients which
support this extension.

[1] http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html

Thanks,

--
Lead Operations Architect
Director of Technical Operations
Wikimedia Foundation

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: SSL 3.0 disabled on Wikimedia sites [ In reply to ]
On 17 October 2014 19:04, Mark Bergsma <mark@wikimedia.org> wrote:

> If you see or hear about anyone having issues connecting to our sites
> over HTTPS or logging in, please direct them at the link above, and
> urge them to upgrade their software. Unfortunately due to the nature
> of HTTPS we're not able to provide a fallback when users get an error
> message due to this. We're still looking into the possibility to
> provide affected users with an informative error message upon login
> however, before they get redirected from HTTP to HTTPS.


I believe that's it for IE6, for one. (I think the user can enable
TLS, but anyone stuck on IE6 is likely so locked down they can't do
that.)


- d.

_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l