Upgrading against the POODLE vulnerability

[mark]

Hi all,

Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.

Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.

The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.

I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.

Comments and questions welcome, as always!

Comments

[ursamajor]

Just when I was about to try to hunt down a user-friendly explanation of POODLE, dreamwidth and mark provide it! Thank you for the information and the fix :)

[frayingboundaries]

*Stops giggling like mad at their mental image of a poodle with twirly cords for the curly fur and goes to read what poodle really is.

[curiosity]

Thank you so much for all your hard work. :)

[someplacetobe]

Thanks so very much! I honestly didn't think SSLv3 was still around!

[cmcmck]

It's all Greek to me as I am but an humble historian, but thanks for letting us know! :o)

[mark]

I think of the whole subject kind of like the evolution of siege warfare.

First they built SSLv1, but it was crap. So it never actually was used and went away. Then they made SSLv2 and said "check out our awesome wall, nobody can sack our city!" and a bunch of people showed up, looked at it for 30 seconds, and then built a ladder and sacked the city.

Very shortly thereafter they made SSLv3. Which featured such things as bigger walls, arrow slits, and even some archers. And it stood for a while, but eventually, someone made a trebuchet and could rain down pain and destruction from great distances. Also crossbows.

They had to get fancier, those city builders. There came designs for walls that actually made the physics of dropping heavy boulders work out kind of badly. Not to mention that if you build walls thick enough, the heaviest rocks can't do all that much. So for a while, TLSv1.0 was the king of the hill and the darn people who sack cities had to go away (or get very, very large armies and starve them out -- medieval DDoS attacks).

And then, as they say, necessity is the mother of invention. Those cravers of other people's data -- er, cities -- started to deploy gunpowder based weaponry and fancier schemes. The walls started to fall again, and so TLSv1.1 was created to patch things up one more time.

Of course, you see where this is going.

Every few years the cycle repeats. Sometimes we win -- in that scientists who study this stuff find the vulnerabilities before the bad people -- and sometimes we lose. And unlike actual sieges, it's usually impossible to know for sure if you've been breached (pretty hard to prove a negative). The best we can do is try to be vigilant and respond quickly when one of these things does happen, have good logs, and watch things.

Maybe this was informative, maybe entertaining, maybe neither. Also, I realize I just made some probably egregious misinterpretations of medieval warfare. I am totally open to critique and education. :)

/ramble mode off

[siderea]

Wait, did this happen yet? (I have an antique browser I regularly use w/ DW, and I had no trouble authenticating around 3am UTC, so my fingers are crossed.)

ETA: and now I can't load https://www.dreamwidth.org/login.bml so it looks like yeah, it's not supporting TLS.

[denise]

Yes, the change is live now.

(If you log in from the navstrip or the site skin anywhere, your password is still encrypted, even if you aren't on a HTTPS page -- it's encrypted in-browser. It's not perfect, but at least it's not being sent in cleartext.)

[fu]

It happened shortly after this entry was posted!

[mark]

Yup, this happened ~2 hours ago.

[glittertine]

Thanks Mark!

[gwendraith]

Thanks for letting us know!

[sharpiefan]

Random stranger wandering by here. I love your icon! :D

[saratogaroad]

Heartbleed, POODLE...who names these things? xD That aforementioned mental image of a poodle whose fur is twisted cords is too funny, but thanks for all your work to keep us safe and in the loop! it's very much appreciated. <3

[mildred_of_midgard]

Also shellshock. :D I hate the vulnerabilities, but I love the names!

Big thumbs up to the maintainers for clear and open communication.

[frayingboundaries]

Oh! I'm happy to oblige. <3

And the curly twisted fur poodle would also have little plug-ins on the end of each coil, a bit like the plugs you connect an iPod or whatnot with.

Also, you are entirely not the only person wondering where the heck they come up with these names. I keep expecting to find one named Nosegoblin or something equally hideously random. But then, I guess Heartbleed is pretty random isn't it? But seriously, I'm so glad my mental image made you smile.

[samuraiter]

IE6 users, you say? ... Well, if there are any DW fans in mainland China, there they went, heh. (To the frustration of folks like the Java developers / maintainers, IE6 is still the dominant browser in China.)

[jazzyjj]

I'm currently logged into the mobile Dw site using the latest version of Safari on a Mac Book Air, and everything seems to be working great. When I read the original entry here I immediately thought of the album "Poodle Hat." Those of you who, like me, are Weird-Al Yankovic fans know what I'm talking about. Anyway, thank you Dw for all that you do. I count myself among those who had no idea what this was until reading this entry. That's just part of what makes this site so fantastic! Definitely staying here! I'll try to enter through the front door, a.k.a., the regular site and if all fails then I'll post here again.

[frayingboundaries]

OMG Poodle Hat! I know that album, and thought of it right after the poodle with twisty coil fur.

[havocthecat]

How about IE8? Which my company has forced me to continue using far past the time that is reasonable. Thank!

[mark]

IE8 should be unaffected!

A related question

[erik]

Is there a way to use https for all of DW by default?

Re: A related question

[alierak]

We're certainly considering it, but it looks like there are going to be some issues where we allow inline images and media hosted on other sites. Issue 871.

[lferion]

I love you all, so much. This is a brilliant and funny explanation. And i am going to have to remember Drawn-out Denial Of Substance, oh my ghod.

[lizvogel]

but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Thank you so, so much for this. For once, I do not seem to be one of the people whose older browser is impacted, but I have been often enough to really, really appreciate an explanation, and an acknowledgment that anybody using something that old might be doing so for a reason, rather than the usual "your browser is ugly and its mother dresses it funny, upgrade now, loser!" attitude that many other sites think qualifies as customer service.

You guys seriously rock.

(And it sounds like the affected browsers will still be able to use the site, just not with encryption? Leaving it up to the users to decide what's priority for them? Awesome.)

[jordannamorgan]

and an acknowledgment that anybody using something that old might be doing so for a reason, rather than the usual "your browser is ugly and its mother dresses it funny, upgrade now, loser!" attitude that many other sites think qualifies as customer service.

This. So much.

Glad my browser is in the clear this time. :)

[solitarywalker]

Slightly off-topic... I read recently that Cloudflare is offering free, easy-to-implement, site-wide SSL. I'm guessing it's not quite *that* easy, but could DW use this to secure all its connections? Or is something else on the horizon to protect our connections/data?

[denise]

It's definitely not that easy, sadly. We could turn on site-wide SSL tomorrow, except for the fact that people can include content (images, videos, etc) in their entries loaded from other servers, and that content isn't always (isn't often) served over a SSL connection. If you have a page served over a secured connection that contains unsecured content, most browsers will throw errors, fail to load the unsecured content, or (at the strictest security settings) refuse to load the page entirely.

It's not an unsolveable problem, and we've spent a lot of time talking over the question of how we can solve it, but we haven't found a good enough solution yet.

Insecurity

[hendrikboom]

The way I let users know they're not secure is to have my website not use encryption at all!

-- hendrik

Re: Insecurity

[hendrikboom]

And just in case they ignore this, I won't let them post anything anyway.

-- hendrik