Today another SSL vulnerability was announced. This one is named POODLE and is, while serious, much less serious than the Heartbleed event from some months ago.
Unfortunately, the only real way to fix the problem is to disable something called "SSLv3" entirely. Basically, this means that we instruct our servers that they are no longer allowed to speak version 3 of the SSL protocol (you can think of it as a language -- we ban this language from our servers). It turns out this is generally OK since most browsers don't actually speak using SSLv3 these days -- you actually use what's called TLS, which is a more modern, better way of protecting the stuff you send across the Internet.
The SSLv3 protocol is actually around 15 years old at this point, and TLS has been out so long that nearly every browser out there supports it. However, shutting off SSLv3 does mean that very old browsers -- IE6, for one -- can no longer talk to Dreamwidth using encryption. In this case, since the encryption wouldn't actually mean anything, we think it's better to not even pretend that it works.
I will be making this change sometime in the next hour or three. This really should impact almost none of you, but there might be one or two and, in that case, I'm sorry. We think it's better to do this so you know you're not actually secure than to let Dreamwidth pretend to be secure.
Edit: This has been deployed. SSLv3 is disabled on Dreamwidth.
Comments and questions welcome, as always!
With denise's help (the bulk of this was from her really!), we've made major changes to the dev-facing wiki documentation for clarity.
Among other things:
merged multiple/redundant pages and sections
(hopefully) reduced the complexity of paths through the wiki for someone just getting started
The biggest change is to Dev Getting Started, which is now greatly expanded, with a much clearer flow, and more focus on someone totally new to DW/development. The resources for someone more experienced have been moved to Dev Quick Start .
The contents of Version Control have been merged with Newbie Guide: How To in Git and the latter is the canonical page for git info -- though now I'm tempted to go rename it to Version Control because it's shorter. Git How To? ;)
Git instructions in some pages have been updated to be much simpler with a pointer to the appropriate section in the git commands in case that's needed.
And the Directory Structure has been expanded to cover more subdirectories.
Beginner Dev Checklist needs some more effort to pull it apart: plan is to integrate it into other pages as appropriate and then get rid of it (since it's not sufficiently different from Dev Getting Started to warrant its own page)
Would appreciate if you poked around through the various pages and let me know if there's anything still left unclear, or if you're aware of similar pages that can be merged into these existing ones!
if I don't put in anything in the "link to existing account" boxes and click login/create account, I get: "Fatal error: Call to a member function checkPassword() on a non-object in /var/www/wiki/extensions/OpenID/SpecialO
penIDLogin.body.php on line 898"
So it looks like OpenID account creation may be horked. Possibly also regular account creation.
I've tested both the beta entry form and the default form and have had no issues posting. My add-ons are LJJuggler, Adblock Plus, Too Many Tabs and SexyUndo Closed Tabs. (There might be others, but those are the ones I can see right now. *g*)