Upgrading against the POODLE vulnerability

[mark]

Hi all,

Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.

Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.

The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.

I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.

Comments and questions welcome, as always!

Comments

[cmcmck]

It's all Greek to me as I am but an humble historian, but thanks for letting us know! :o)

[mark]

I think of the whole subject kind of like the evolution of siege warfare.

First they built SSLv1, but it was crap. So it never actually was used and went away. Then they made SSLv2 and said "check out our awesome wall, nobody can sack our city!" and a bunch of people showed up, looked at it for 30 seconds, and then built a ladder and sacked the city.

Very shortly thereafter they made SSLv3. Which featured such things as bigger walls, arrow slits, and even some archers. And it stood for a while, but eventually, someone made a trebuchet and could rain down pain and destruction from great distances. Also crossbows.

They had to get fancier, those city builders. There came designs for walls that actually made the physics of dropping heavy boulders work out kind of badly. Not to mention that if you build walls thick enough, the heaviest rocks can't do all that much. So for a while, TLSv1.0 was the king of the hill and the darn people who sack cities had to go away (or get very, very large armies and starve them out -- medieval DDoS attacks).

And then, as they say, necessity is the mother of invention. Those cravers of other people's data -- er, cities -- started to deploy gunpowder based weaponry and fancier schemes. The walls started to fall again, and so TLSv1.1 was created to patch things up one more time.

Of course, you see where this is going.

Every few years the cycle repeats. Sometimes we win -- in that scientists who study this stuff find the vulnerabilities before the bad people -- and sometimes we lose. And unlike actual sieges, it's usually impossible to know for sure if you've been breached (pretty hard to prove a negative). The best we can do is try to be vigilant and respond quickly when one of these things does happen, have good logs, and watch things.

Maybe this was informative, maybe entertaining, maybe neither. Also, I realize I just made some probably egregious misinterpretations of medieval warfare. I am totally open to critique and education. :)

/ramble mode off

[denise]

I love you, Mark.

[sharpiefan]

Love your medieval DDoS attacks. I mean, your modern city-building. Er. Explanation.

Seriously, though, DW staff have a sense of humour and can and do explain things to the lay-person without them having to go hunting for it. That, right there, is why I love DW so very much. :D

[archangelbeth]

<3

[swaldman]

Hee. Love this explanation.

[princessofgeeks]

CROSSBOWS!

Thanks so much for the explanation and everything else.

[genarti]

This is such a great explanation, at least from my non-tech-expert perspective. I love it!

[decepticon_mistress]

LOL, best explanation ever!

[the_shoshanna]

very, very large armies and starve them out -- medieval DDoS attacks

Drawn-out Denial Of Sustenance!

[azurelunatic]

(busts up giggling)

[archangelbeth]

Oh, nicely done!

[ashkitty]

...that was awesome, thank you. :)

[wenchpixie]

As someone who is both technical and ever so slightly obsessed with medieval siege weapons, I find this explanation to be utterly BRILLIANT and very entertaining. Thank you!

[phoenixfire12]

Very entertaining, and to think I actually understood it. Thank you. BTW, I like crossbows. Have you progressed to or exceeded GATLING Crossbows?

[turlough]

Awesome and hilarious!

[firstsuperman]

That's actually a pretty good analogy to use so the laymen can grasp it.

Thanks for the hard work, and keeping Dreamwidth alive and kicking.

[okami_no_mure]

*Shriek of absolute joy!*

Mark has best analogy fu!

[cmcmck]

I was brought up in the shadow of a socking great Norman castle in the city of Rochester (probably to blame for my ending up doing history) which stood siege several times through all those developments, so this makes pretty good sense to me! :o)