![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png)
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
Upgrading against the POODLE vulnerability
Hi all,
Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.
Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.
The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.
I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.
Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.
Comments and questions welcome, as always!
no subject
Thank you so, so much for this. For once, I do not seem to be one of the people whose older browser is impacted, but I have been often enough to really, really appreciate an explanation, and an acknowledgment that anybody using something that old might be doing so for a reason, rather than the usual "your browser is ugly and its mother dresses it funny, upgrade now, loser!" attitude that many other sites think qualifies as customer service.
You guys seriously rock.
(And it sounds like the affected browsers will still be able to use the site, just not with encryption? Leaving it up to the users to decide what's priority for them? Awesome.)
no subject
This. So much.
Glad my browser is in the clear this time. :)
no subject
That depends on whether you're willing to send your DW password in the clear.
no subject