mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_maintenance2014-10-14 05:38 pm

Upgrading against the POODLE vulnerability

Hi all,

Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.

Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.

The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.

I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.

Comments and questions welcome, as always!

ursamajor: people on the beach watching the ocean (Default)

[personal profile] ursamajor 2014-10-15 04:38 am (UTC)(link)
Just when I was about to try to hunt down a user-friendly explanation of POODLE, [profile] dreamwidth and [staff profile] mark provide it! Thank you for the information and the fix :)

[personal profile] frayingboundaries 2014-10-15 05:17 am (UTC)(link)
*Stops giggling like mad at their mental image of a poodle with twirly cords for the curly fur and goes to read what poodle really is.
curiosity: Close up of a tabby cat's face from nose to corner of the eye, including part of the muzzle and a few whiskers. (Picto: Moon and Water)

[personal profile] curiosity 2014-10-15 05:38 am (UTC)(link)
Thank you so much for all your hard work. :)
someplacetobe: (dreamon_irys: SJ smile)

[personal profile] someplacetobe 2014-10-15 06:19 am (UTC)(link)
Thanks so very much! I honestly didn't think SSLv3 was still around!
cmcmck: (Wile E Coyote)

[personal profile] cmcmck 2014-10-15 06:42 am (UTC)(link)
It's all Greek to me as I am but an humble historian, but thanks for letting us know! :o)

(no subject)

[staff profile] denise - 2014-10-15 07:23 (UTC) - Expand

(no subject)

[personal profile] sharpiefan - 2014-10-15 09:39 (UTC) - Expand

(no subject)

[personal profile] archangelbeth - 2014-10-15 10:40 (UTC) - Expand

(no subject)

[personal profile] swaldman - 2014-10-15 12:09 (UTC) - Expand

(no subject)

[personal profile] princessofgeeks - 2014-10-15 12:21 (UTC) - Expand

(no subject)

[personal profile] genarti - 2014-10-15 12:57 (UTC) - Expand

(no subject)

[personal profile] decepticon_mistress - 2014-10-15 13:51 (UTC) - Expand

(no subject)

[personal profile] the_shoshanna - 2014-10-15 14:17 (UTC) - Expand

(no subject)

[personal profile] azurelunatic - 2014-10-15 16:05 (UTC) - Expand

(no subject)

[personal profile] archangelbeth - 2014-10-16 00:54 (UTC) - Expand

(no subject)

[personal profile] ashkitty - 2014-10-15 14:26 (UTC) - Expand

(no subject)

[personal profile] wenchpixie - 2014-10-15 17:01 (UTC) - Expand

(no subject)

[personal profile] phoenixfire12 - 2014-10-15 17:47 (UTC) - Expand

(no subject)

[personal profile] turlough - 2014-10-15 18:37 (UTC) - Expand

(no subject)

[personal profile] firstsuperman - 2014-10-15 19:29 (UTC) - Expand

(no subject)

[personal profile] okami_no_mure - 2014-10-15 20:13 (UTC) - Expand

(no subject)

[personal profile] cmcmck - 2014-10-16 07:01 (UTC) - Expand
siderea: (Default)

[personal profile] siderea 2014-10-15 06:53 am (UTC)(link)
Wait, did this happen yet? (I have an antique browser I regularly use w/ DW, and I had no trouble authenticating around 3am UTC, so my fingers are crossed.)

ETA: and now I can't load https://www.dreamwidth.org/login.bml so it looks like yeah, it's not supporting TLS.
Edited 2014-10-15 06:56 (UTC)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-10-15 07:01 am (UTC)(link)

Yes, the change is live now.

(If you log in from the navstrip or the site skin anywhere, your password is still encrypted, even if you aren't on a HTTPS page -- it's encrypted in-browser. It's not perfect, but at least it's not being sent in cleartext.)

(no subject)

[personal profile] siderea - 2014-10-15 07:19 (UTC) - Expand

(no subject)

[personal profile] quartzpebble - 2014-10-15 07:33 (UTC) - Expand

(no subject)

[staff profile] denise - 2014-10-15 07:33 (UTC) - Expand

(no subject)

[personal profile] siderea - 2014-10-15 16:07 (UTC) - Expand

(no subject)

[personal profile] alierak - 2014-10-15 16:12 (UTC) - Expand

(no subject)

[personal profile] siderea - 2014-10-16 02:57 (UTC) - Expand
fu: Close-up of Fu, bringing a scoop of water to her mouth (Default)

[personal profile] fu 2014-10-15 07:02 am (UTC)(link)

It happened shortly after this entry was posted!

(no subject)

[personal profile] cxcvi - 2014-10-15 18:35 (UTC) - Expand
glittertine: (Default)

[personal profile] glittertine 2014-10-15 07:45 am (UTC)(link)
Thanks Mark!
gwendraith: (british)

[personal profile] gwendraith 2014-10-15 08:39 am (UTC)(link)
Thanks for letting us know!
sharpiefan: Fleet of tall ships, text 'England expects...' (England expects)

[personal profile] sharpiefan 2014-10-15 09:41 am (UTC)(link)
Random stranger wandering by here. I love your icon! :D

(no subject)

[personal profile] gwendraith - 2014-10-15 09:56 (UTC) - Expand

(no subject)

[personal profile] sharpiefan - 2014-10-15 10:19 (UTC) - Expand
saratogaroad: (Default)

[personal profile] saratogaroad 2014-10-15 11:20 am (UTC)(link)
Heartbleed, POODLE...who names these things? xD That aforementioned mental image of a poodle whose fur is twisted cords is too funny, but thanks for all your work to keep us safe and in the loop! it's very much appreciated. <3
mildred_of_midgard: (Default)

[personal profile] mildred_of_midgard 2014-10-15 04:23 pm (UTC)(link)
Also shellshock. :D I hate the vulnerabilities, but I love the names!

Big thumbs up to the maintainers for clear and open communication.

[personal profile] frayingboundaries 2014-10-15 08:23 pm (UTC)(link)
Oh! I'm happy to oblige. <3

And the curly twisted fur poodle would also have little plug-ins on the end of each coil, a bit like the plugs you connect an iPod or whatnot with.

Also, you are entirely not the only person wondering where the heck they come up with these names. I keep expecting to find one named Nosegoblin or something equally hideously random. But then, I guess Heartbleed is pretty random isn't it? But seriously, I'm so glad my mental image made you smile.

(no subject)

[personal profile] geekosaur - 2014-10-16 00:21 (UTC) - Expand

(no subject)

[personal profile] frayingboundaries - 2014-10-16 06:20 (UTC) - Expand

(no subject)

[personal profile] geekosaur - 2014-10-19 02:48 (UTC) - Expand

(no subject)

[personal profile] frayingboundaries - 2014-10-19 21:59 (UTC) - Expand
samuraiter: (Default)

[personal profile] samuraiter 2014-10-15 12:17 pm (UTC)(link)
IE6 users, you say? ... Well, if there are any DW fans in mainland China, there they went, heh. (To the frustration of folks like the Java developers / maintainers, IE6 is still the dominant browser in China.)

[personal profile] jazzyjj 2014-10-15 12:26 pm (UTC)(link)
I'm currently logged into the mobile Dw site using the latest version of Safari on a Mac Book Air, and everything seems to be working great. When I read the original entry here I immediately thought of the album "Poodle Hat." Those of you who, like me, are Weird-Al Yankovic fans know what I'm talking about. Anyway, thank you Dw for all that you do. I count myself among those who had no idea what this was until reading this entry. That's just part of what makes this site so fantastic! Definitely staying here! I'll try to enter through the front door, a.k.a., the regular site and if all fails then I'll post here again.

[personal profile] frayingboundaries 2014-10-15 08:26 pm (UTC)(link)
OMG Poodle Hat! I know that album, and thought of it right after the poodle with twisty coil fur.
havocthecat: the lady of shalott (Default)

[personal profile] havocthecat 2014-10-15 01:18 pm (UTC)(link)
How about IE8? Which my company has forced me to continue using far past the time that is reasonable. Thank!
erik: A Chibi-style cartoon of me! (Default)

A related question

[personal profile] erik 2014-10-15 03:44 pm (UTC)(link)
Is there a way to use https for all of DW by default?
alierak: (Default)

Re: A related question

[personal profile] alierak 2014-10-15 04:21 pm (UTC)(link)
We're certainly considering it, but it looks like there are going to be some issues where we allow inline images and media hosted on other sites. Issue 871.

Re: A related question

[personal profile] quartzpebble - 2014-10-15 16:45 (UTC) - Expand
lferion: Art of pink gillyflower on green background (Default)

[personal profile] lferion 2014-10-15 06:32 pm (UTC)(link)
I love you all, so much. This is a brilliant and funny explanation. And i am going to have to remember Drawn-out Denial Of Substance, oh my ghod.
lizvogel: an old-school DOS prompt, with "Retro" in pixelated green italics (DOS Prompt Retro)

[personal profile] lizvogel 2014-10-15 06:43 pm (UTC)(link)
but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Thank you so, so much for this. For once, I do not seem to be one of the people whose older browser is impacted, but I have been often enough to really, really appreciate an explanation, and an acknowledgment that anybody using something that old might be doing so for a reason, rather than the usual "your browser is ugly and its mother dresses it funny, upgrade now, loser!" attitude that many other sites think qualifies as customer service.

You guys seriously rock.

(And it sounds like the affected browsers will still be able to use the site, just not with encryption? Leaving it up to the users to decide what's priority for them? Awesome.)
jordannamorgan: Darren McGavin as Carl Kolchak, "Kolchak: The Night Stalker". (Kolchak)

[personal profile] jordannamorgan 2014-10-15 08:42 pm (UTC)(link)
and an acknowledgment that anybody using something that old might be doing so for a reason, rather than the usual "your browser is ugly and its mother dresses it funny, upgrade now, loser!" attitude that many other sites think qualifies as customer service.

This. So much.

Glad my browser is in the clear this time. :)

(no subject)

[personal profile] siderea - 2014-10-16 02:59 (UTC) - Expand

(no subject)

[personal profile] lizvogel - 2014-10-16 14:37 (UTC) - Expand
solitarywalker: (Default)

[personal profile] solitarywalker 2014-10-16 01:16 pm (UTC)(link)
Slightly off-topic... I read recently that Cloudflare is offering free, easy-to-implement, site-wide SSL. I'm guessing it's not quite *that* easy, but could DW use this to secure all its connections? Or is something else on the horizon to protect our connections/data?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2014-10-16 01:33 pm (UTC)(link)

It's definitely not that easy, sadly. We could turn on site-wide SSL tomorrow, except for the fact that people can include content (images, videos, etc) in their entries loaded from other servers, and that content isn't always (isn't often) served over a SSL connection. If you have a page served over a secured connection that contains unsecured content, most browsers will throw errors, fail to load the unsecured content, or (at the strictest security settings) refuse to load the page entirely.

It's not an unsolveable problem, and we've spent a lot of time talking over the question of how we can solve it, but we haven't found a good enough solution yet.

(no subject)

[personal profile] siderea - 2014-10-16 23:10 (UTC) - Expand

(no subject)

[personal profile] solitarywalker - 2014-10-17 13:37 (UTC) - Expand

Insecurity

[personal profile] hendrikboom 2014-10-25 07:16 pm (UTC)(link)
The way I let users know they're not secure is to have my website not use encryption at all!

-- hendrik

Re: Insecurity

[personal profile] hendrikboom 2014-10-25 07:17 pm (UTC)(link)
And just in case they ignore this, I won't let them post anything anyway.

-- hendrik