Protecting users against POODLE by removing SSL 3.0 support

Translate this post
"Pudel-drawing" by Gustav Mützel (Brehms Tierleben), public domain

To protect our users against the recently disclosed POODLE security vulnerability, we are removing support for SSL 3.0 on all Wikimedia sites as of 15:00 UTC (8:00 am PDT) today.

SSL 3.0 is an outdated implementation of the HTTPS web encryption protocol. HTTPS helps people communicate more securely across networks by encrypting the data they send and receive in a web browser.

SSL 3.0 was introduced in 1996 and has long since been superseded in all modern browsers. This means that very few people will be affected by this change. However, if you still use Internet Explorer 6 (IE6), or another old browser that only supports SSL 3.0, you will be affected in the following ways:

  • It will no longer be possible to log into your user account while using IE6. Logins generally require an encrypted connection to prevent password snooping, and IE6 only supports SSL 3.0.
  • You will not be able to use HTTPS for browsing the Wikimedia projects while using IE6.
  • You will still be able to read Wikipedia and our other sites using an HTTP connection while using IE6.

We made this decision in order to protect all of our users. The POODLE vulnerability allows an attacker to to exploit weaknesses in the SSL 3.0 protocol, and potentially intercept a user’s data (something known as a man-in-the-middle attack). At the minimum, this could compromise the log-in details of registered users of the Wikimedia projects. IE6 is widely viewed as out of date and insecure, and Microsoft itself has urged users users to upgrade to modern alternatives for several years now. In fact, we disabled JavaScript for IE6 this past August, also for the purpose of protecting our users’ security.

If you are one of our affected users, we strongly encourage you to consider upgrading from IE6. We want everyone to be as secure as possible, and a modern, standards-compliant browser is a great place to start.

Mark Bergsma
WMF Director of Technical Operations;
WMF Lead Operations Architect

 

You can translate this post
(You may need to click on “Translating to English” to change the translation language)

Archive notice: This is an archived post from blog.wikimedia.org, which operated under different editorial and content guidelines than Diff.

Can you help us translate this article?

In order for this article to reach as many people as possible we would like your help. Can you translate this article to get the message out?

5 Comments
Inline Feedbacks
View all comments

You can enable TLS in IE6 by going Tools -> Internet Options -> Advanced -> Security and ticking the boxes. (Though most people stuck on IE6 will be in an environment so locked down they can’t do that.)

Please use the most secure version of TLS, TLS 1.2.

We have a user reporting problems with SeaMonkey 1.1.19, do we have instructions for them? We should probably update several pages around
http://kb.mozillazine.org/Error_loading_secure_sites

Suggestion from mutante: if you’re having issues, check up your browser by visiting https://www.howsmyssl.com/ It’s then easier to offer support.

Great! Now support secure HTTP (HTTPS) by default on all Wikimedia sites. There is no reason to prolongate default HTTPS to protect the users. Thank you.