mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_maintenance2014-10-14 05:38 pm
  • Add Memory
  • Share This Entry

Upgrading against the POODLE vulnerability

Hi all,

Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.

Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.

The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.

I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.

Comments and questions welcome, as always!

Flat | Top-Level Comments Only
saratogaroad: (Default)

[personal profile] saratogaroad 2014-10-15 11:20 am (UTC)(link)
Heartbleed, POODLE...who names these things? xD That aforementioned mental image of a poodle whose fur is twisted cords is too funny, but thanks for all your work to keep us safe and in the loop! it's very much appreciated. <3
mildred_of_midgard: (Default)

[personal profile] mildred_of_midgard 2014-10-15 04:23 pm (UTC)(link)
Also shellshock. :D I hate the vulnerabilities, but I love the names!

Big thumbs up to the maintainers for clear and open communication.

[personal profile] frayingboundaries 2014-10-15 08:23 pm (UTC)(link)
Oh! I'm happy to oblige. <3

And the curly twisted fur poodle would also have little plug-ins on the end of each coil, a bit like the plugs you connect an iPod or whatnot with.

Also, you are entirely not the only person wondering where the heck they come up with these names. I keep expecting to find one named Nosegoblin or something equally hideously random. But then, I guess Heartbleed is pretty random isn't it? But seriously, I'm so glad my mental image made you smile.
geekosaur: white dinosaur skeleton in black shadow "body"; caption "geek." in monospaced font (geekosaur)

[personal profile] geekosaur 2014-10-16 12:21 am (UTC)(link)
Heartbleed's not that random, since it's a bug in OpenSSL's "heartbeat" protocol extension that leaks memory contents.

[personal profile] frayingboundaries 2014-10-16 06:20 am (UTC)(link)
OH! Now that's nifty. I wasn't aware of that.

I still wonder where they got Poodle.

FYI, your username makes me a very happy person.
geekosaur: orange tabby with head canted 90 degrees, giving impression of "maybe it'll make more sense if I look at it this way?" (Default)

[personal profile] geekosaur 2014-10-19 02:48 am (UTC)(link)
Rather banal in this case; it's an acronym. "Padding Oracle On Downgraded Legacy Encryption".

[personal profile] frayingboundaries 2014-10-19 09:59 pm (UTC)(link)
For some reason, that makes it even funnier! :D
Flat | Top-Level Comments Only