[Owasp-board] Fwd: 10/28 update on disabling SSLv3 traffic on our network

Matt Tesauro matt.tesauro at owasp.org
Wed Oct 29 02:42:54 UTC 2014


To be honest, I've not taken the time to look at any reporting from Akamai
beyond the "dashboard" page that appears when you log into the web
console.  I did note back in September when I turned on CDN that ~ 43% of
requests to www.owasp.org were handled by Akamai's cache.  It does not
cache any PHP generated pages since the wiki can be dynamically edited and
caching those would cause big usability issues.  Even at 43% caching, the
load on our server is notably less.

I don't believe we are using anything Kona and just using the SSL/TLS-ified
CDN service from Akamai - I'm not sure what their marketing department has
named that service.

I'm sure you can get Top [thing here] stats from our Google Analytics which
shouldn't vary from Akamai since our PHP pages are not cached and contain
the Google Analytics JavaScript.


-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead

On Tue, Oct 28, 2014 at 1:10 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:

> Thanks for the heads up --- Matt can you provide any reports from Akamai
> on utilization, most requested, blocks if we are using KONA etc...
> Now that the Akamai service is up and running and operational -- would
> like to baseline and measure it and share that data with the community if
> they are interested in it like me.
> Top requesting regions, countries, zones
> Top page requests
> Top unique visitors monthly
> <insert other info>
> On Tue, Oct 28, 2014 at 2:00 PM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>> FYI:  Akamai is disabling SSLv3 for CDN which is used by www.owasp.org.
>> TLDR; some security Darwinism effects will be felt by those still using
>> Win XP + IE.  Looking quickly at our Google Analytics, IE 6 show 217 out of
>> our 80,384 sessions - i.e. not much traffic.
>> Let me know if this is a problem for the board and I'll ping Akamai for
>> options.
>> Cheers!
>> ---------- Forwarded message ----------
>> From: <ccare at akamai.com>
>> Date: Tue, Oct 28, 2014 at 11:30 AM
>> Subject: 10/28 update on disabling SSLv3 traffic on our network
>> To: matt.tesauro at owasp.org
>> This is a follow up to our message dated Oct 14, 2014 regarding the
>> "Poodle" Vulnerability (
>> https://blogs.akamai.com/2014/10/ssl-is-dead-long-live-tls.html).
>> This an additional reminder that we are now in the process of disabling
>> SSLv3 between clients and Edge servers and expect to start denying SSLv3
>> traffic around 28 Oct 2014 17:00 UTC in a phased manner.  To avoid
>> interruptions to your traffic on the client to Edge side, please ensure
>> that your clients support higher than SSLv3 protocols (particularly custom
>> clients).
>> Please contact Customer Care if you have any questions or if we can be of
>> any assistance.
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141028/367454fb/attachment.html>

More information about the Owasp-board mailing list