July 7, 2011
More fun with SSL certificate verification failures
Some of you who tried to access spideroak.com a couple hours ago may have noticed a security warning from your browser complaining about an invalid certificate.
No, we didn’t forget to change the storage certificates again. In fact, the new certificate was purchased back in April.
Turns out there was some fun to be had with our new SSL certificate. (SSL is the mechanism that browsers use to encrypt your connection to the server, giving you the nice padlock icon so that you know websites like SpiderOak.com are secure.)
Geotrust changed their certificate roots due to some weaknesses in the old one, which meant that there was not only a new root, but also a new intermediate RapidSSL certificate thrown in for good measure. (The root is the certificate that browsers use to verify that all certificates are genuine. The intermediate certificate establishes a chain of certificates from the root to the certificate used by an individual website.)
This took me a few minutes to figure out, but once I got the extra intermediate certificate thrown in there, the website was happy.
Unfortunately there was another problem: the SpiderOak client didn’t know about the new certificate root. This would have affected anyone who was trying to complete their first signup or create a new device in the SpiderOak client.
The core of the problem is that by default, Python, the language that SpiderOak is mostly written in, does not verify SSL certificates at all, so we were forced to roll our own verification routines. We whipped up our own system that simply packaged the certificates in the client itself, which was better anyway because it didn’t rely on sometimes broken external SSL certificate chains. Today’s problem is the obvious downside. Our developers responded quickly and pushed out new builds with the updated certificate in about an hour.
So if you’ve had problems signing up, we’re sorry. We screwed up. Please download the latest version and try it again. I’ll be over here taking my due flogging.
TL;DR: All your existing backups, syncs, devices, shares, and everything else are fine. The next time you add a new device to your SpiderOak account, you’ll need to download the latest version of SpiderOak.
Update: If you tried to sign up during this time, you should be receiving an email from us shortly, along with an extra gigabyte of free storage to show our appreciation for your patience.
Update 2: It turns out that some older Android phones (older than Android 2.3) don’t include the newer CA roots! (Although, the original iPhone from 2007 does have those roots included via OS updates, and some Android vendors seem to include them also, so it is somewhat unpredictable whether a given phone has them.)
So, we’ve had to add an intermediate certificate to spideroak.com for older Android compatibility. We’ve published the desktop client revision 9830 which also recognizes this additional certificate. Once again, all existing devices, backups, syncs, etc. are fine. You’ll need the newest SpiderOak the next time you add a new device to your account (which is generally the best practice anyway.) -Alan