Wikimedia Blog/Drafts/Protecting users against POODLE by removing SSL 3.0 support

From Meta, a Wikimedia project coordination wiki

This was a draft for a blog post that has since been published at https://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/

Title[edit]

Protecting users against POODLE by removing SSL 3.0 support

Body[edit]

To protect our users against the recently disclosed POODLE security vulnerability, we are removing support for SSL 3.0 on all Wikimedia sites as of 15:00 UTC (8:00 am PDT) today.

SSL 3.0 is an outdated implementation of the HTTPS web encryption protocol. HTTPS helps people communicate more securely across networks by encrypting the data they send and receive in a web browser.

SSL 3.0 was introduced in 1996 and has long since been superseded in all modern browsers. This means that very few people will be affected by this change. However, if you still use Internet Explorer 6 (IE6), or another old browser that only supports SSL 3.0, you will be affected in the following ways:

  • It will no longer be possible to log into your user account while using IE6. Logins generally require an encrypted connection to prevent password snooping, and IE6 only supports SSL 3.0.
  • You will not be able to use HTTPS for browsing the Wikimedia projects while using IE6.
  • You will still be able to read Wikipedia and our other sites using an HTTP connection while using IE6.

We made this decision in order to protect all of our users. The POODLE vulnerability allows an attacker to to exploit weaknesses in the SSL 3.0 protocol, and potentially intercept a user’s data (something known as a man-in-the-middle attack). At the minimum, this could compromise the log-in details of registered users of the Wikimedia projects. IE6 is widely viewed as out of date and insecure, and Microsoft itself has urged users users to upgrade to modern alternatives for several years now. In fact, we disabled JavaScript for IE6 this past August, also for the purpose of protecting our users’ security.

If you are one of our affected users, we strongly encourage you to consider upgrading from IE6. We want everyone to be as secure as possible, and a modern, standards-compliant browser is a great place to start.

Mark Bergsma
WMF Director of Technical Operations;
WMF Lead Operations Architect

Notes[edit]

Ideas for social media messages promoting the published post:

Twitter (@wikimedia/@wikipedia):

(Tweet text goes here - max 117 characters)
---------|---------|---------|---------|---------|---------|---------|---------|---------|---------|---------|------/

Facebook/Google+

  • ...