Progress update on security work and site performance
Here's a brief update on the progress of our security work mentioned earlier in news.
We are almost done with our planned changes to address a security vulnerability in the way Firefox handles certain scripts that malicious users could embed in their journals. In particular, the vulnerability relates to the cookies we use to keep you logged in to LiveJournal. We plan to have our full fix live soon.
To minimize risk to your account in the meantime, we expired everyone's cookies earlier in the day today. You may have noticed that you had to log back in, as well as the related site slowness and general turbulence that followed.
If you use a Mozilla browser (including Firefox) and want to be extra cautious, you may want to turn off JavaScript temporarily. We also always recommend selecting the "Bind cookie to IP address" option after you log in to LiveJournal. This will protect your cookies from this vulnerability, though it might also cause you to get logged out more often if your IP changes (such as for dial-up users).
It's probably worth a quick note about how we handle these security issues in general. We are always very serious about ensuring the security of our users' accounts and content on LiveJournal. We hope that's clear. We jumped on this vulnerability as soon as it was discovered. We're confident that we are in the process of closing it. This kind of thing happens now and then and we stomp it whenever it comes up; it's not ideal, but it's not unusual either.
As a rule among large services like ours, we do not broadcast details about vulnerabilities until we've addressed the problem *and* communicated about it to other involved parties. We also try to be clear and open with you all, so we posted when we had good information for you. For more about the technical details of what we're doing, watch for a future post in lj_dev.
Finally, we feel it is unfortunate and apologize that any users have had any negative experience using the site. We take security and performance issues seriously and you can be sure we are always working to try to improve your experience. Thank you for your understanding as we continue to adapt and improve site security and performance.
We are almost done with our planned changes to address a security vulnerability in the way Firefox handles certain scripts that malicious users could embed in their journals. In particular, the vulnerability relates to the cookies we use to keep you logged in to LiveJournal. We plan to have our full fix live soon.
To minimize risk to your account in the meantime, we expired everyone's cookies earlier in the day today. You may have noticed that you had to log back in, as well as the related site slowness and general turbulence that followed.
If you use a Mozilla browser (including Firefox) and want to be extra cautious, you may want to turn off JavaScript temporarily. We also always recommend selecting the "Bind cookie to IP address" option after you log in to LiveJournal. This will protect your cookies from this vulnerability, though it might also cause you to get logged out more often if your IP changes (such as for dial-up users).
It's probably worth a quick note about how we handle these security issues in general. We are always very serious about ensuring the security of our users' accounts and content on LiveJournal. We hope that's clear. We jumped on this vulnerability as soon as it was discovered. We're confident that we are in the process of closing it. This kind of thing happens now and then and we stomp it whenever it comes up; it's not ideal, but it's not unusual either.
As a rule among large services like ours, we do not broadcast details about vulnerabilities until we've addressed the problem *and* communicated about it to other involved parties. We also try to be clear and open with you all, so we posted when we had good information for you. For more about the technical details of what we're doing, watch for a future post in lj_dev.
Finally, we feel it is unfortunate and apologize that any users have had any negative experience using the site. We take security and performance issues seriously and you can be sure we are always working to try to improve your experience. Thank you for your understanding as we continue to adapt and improve site security and performance.