mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_maintenance2014-10-14 05:38 pm

Upgrading against the POODLE vulnerability

Hi all,

Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.

Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.

The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.

I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.

Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.

Comments and questions welcome, as always!

alierak: (Default)

[personal profile] alierak 2014-10-15 04:12 pm (UTC)(link)
Oh, shit, was that the PalmPilot? That would explain a lot.

You're right, the fallback to cleartext is definitely worse, making you vulnerable to a passive MITM, where the SSLv3 or javascript methods would only be vulnerable to an active MITM. I could see maybe throwing in a noscript section that tells you the password will be sent in cleartext.
siderea: (Default)

[personal profile] siderea 2014-10-16 02:57 am (UTC)(link)
Yep, the Palm. Which, okay, is to be expected: it's something like a 2008 browser. But I presume also my Razr V3xx and my LG 500g phones aren't going to cope so hot. The Razr is also an antique (2006?) but the LG I bought in Nov 2012 off the Tracfone website. Using the web on it is expensive, so I haven't tried it yet. But I'm not hopeful.