Continuing the discussion from Where is the Source code for the Cloud:
It looks like this OpenSSL vulnerability effects probably something like 65-70% of web servers on the internet. It appears to be a bug in the “OpenSSL” package itself, and not the SSL/TLS standard. We’re researching how this effects the community. This bug could allow a very sophisticated attacker (like a government, or network operator), to perform a '-in-the-middle’ attack.
I think to be safe, we will probably revoke and re-issue our SSL certificate after patching this bug for *.spark.io to make sure web traffic remains protected. This does not effect encrypted core traffic at all.
This topic is now pinned. It will appear at the top of its category until it is either unpinned by a moderator, or the Clear Pin button is pressed. – Editing category so it stays at the top of the forum index
Sorry about the community downtime, that was us patching the heartbleeder OpenSSL bug on community. We’re waiting on Amazon to finish patching the ELB instances on the east coast. We’ll also probably be sending out a blog post in the next day ( and possibly an email) or so with recommendations for the community.
Personally I recommend checking with sites you consider to be important security wise, and check their blogs and status feeds, make sure they’ve patched their sites, and check to make sure their SSL certificates are dated after April 8th, 2014, then you should probably change your password there.
OK. Amazon has patched our load balancer pointed at api.spark.io.
This means ongoing leaks of things like access_tokens and login credentials are stopped, but we still need to regenerate our SSL certificate. It’s much less likely that someone is performing a man-in-the-middle attack, so updating our certs should happen in the next day or so.
What are we / What should you do next?
In the meantime, it’s a good idea to reset your access tokens in case any were exposed during the zero-day period. We’ll regenerate our certificate, and we’ll will most likely encourage community members to change their account passwords then when we can be confident the SSL certificate is updated.
Details to come tomorrow!
not sure if Gravatar side rotated/reset their SSL or not. But seems like the gravatar loading on our community is broken maybe due to them resetting all the tokens etc.
Hmm, are you still seeing this? The gravatars are loading normally even if I try hard clearing my cache.
Totally fine Maybe i’m looking at the forum too often and saw the gravatar downtime period
I wanted to send a shout out to the Spark community and let you know that we’ll be rotating our SSL certificates this evening (after 4pm CST) in response to the Heartbleed Bug.
Though we’ve got our automation scripts primed and ready to flip switches in a reliable and quick fashion, it is possible that some https requests to community.spark.io, www.spark.io, or api.spark.io will return “untrusted SSL certificate” errors or one kind or another while things are changing. Don’t be alarmed, this may happen for a brief period today.
Will post to this thread when we’re done.
community site’s SSL cert has been rotated, moving onto the IDE and api now
So we managed to improve the security of the community site today by enabling forward secrecy, the encryption technology that makes it impossible to decrypt an archived encrypted conversation if the long-term key is ever compromised. This goodness was done with some elliptical curve cryptography. Elliptical curve crypto is cool: more secure, less space, more efficient. Score…
Unfortunately, Amazon’s Elastic Load Balancer and Heroku’s SSL setup did not digest the new crypto algorithms so well, … so our Heart Bleed SSL certificate rotation task lives for api.spark and www.spark.io lives on for another day. Stay tuned.
Oh, cryptography. Right after posting this, I got a private message reporting that the site was not working for Chrome on Windows 7 and IE11 due to SSL issues. Reverted to the old cert again. Will use less modern more widely supported crypto tomorrow while still shooting to support forward secrecy.
Sorry to anyone who was unable to access the site for a couple of hours this evening!
Not trying to make things sound worst but yeah…
If your router might be running Openssl somehow which idk why…
I personally, fortunately have an open source router and i just checked the changlog and it’s installed with the vulnerable Openssl.
You might want to check yours
@jgoggins not sure if this will help us get forward secrecy on
@kennethlimcp , we’ve learned a lot through this process. That GitHub blog post adds to to that–a good read, thanks for sharing!
New certificate deployed to the community. Strikes the best available balance between forward secrecy for most and compatibility for older browsers.
Aaaaaaand the new cert has been deployed to the API as well. Forward secrecy FTW.
Is this the reason for verify and core connect issues? Everything was working fine 4 days ago!
HTML control is also no longer working
Have attempted re-issue of Access Token without luck, Core is slow breathing cyan.
That shouldn’t be affecting the API call or the forum would have been flooded with posts.
I did OTA like just a day ago.
But who knows right? I’m out right now so I can’t verify but do post back if it persists!
team has been rather quiet for 2 weeks
I just did an over-the-air update and it worked fine. I did have to log out and close browser windows to get the certificate updated yesterday, so you might want to try that.