FYI to this audience as well: We're reseting all user session tokens today due to heartbleed.
What I didn't state below is that we have already replaced our SSL certs as well as upgraded to the fixed version of openssl. ----- Forwarded message from Greg Grossmeier <g...@wikimedia.org> ----- > Date: Tue, 8 Apr 2014 13:54:26 -0700 > From: Greg Grossmeier <g...@wikimedia.org> > To: Wikitech Ambassadors <wikitech-ambassad...@lists.wikimedia.org> > Subject: Security precaution - Resetting all user sessions today > > Yesterday a widespread issue in OpenSSL was disclosed that would allow > attackers to gain access to privileged information on any site running a > vulnerable version of that software. Unfortunately, all Wikimedia > Foundation hosted wikis are potentially affected. > > We have no evidence of any actual compromise to our systems or our users > information, but as a precautionary measure we are resetting all user > session tokens. In other words, we will be forcing all logged in users > to re-login (ie: we are logging everyone out). > > All logged in users send a secret session token with each request to the > site and if a nefarious person were able to intercept that token they > could impersonate other users. Resetting the tokens for all users will > have the benefit of making all users reconnect to our servers using the > updated and fixed version of the OpenSSL software, thus removing this > potential attack. > > As an extra precaution, we recommend all users change their passwords as > well. > > > Again, there has been no evidence that Wikimedia Foundation users were > targeted by this attack, but we want all of our users to be as safe as > possible. > > > Thank you for your understanding and patience, > > Greg Grossmeier > > > -- > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D | ----- End forwarded message ----- -- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |
signature.asc
Description: Digital signature
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
