Does Heroku permit admins to download SSL private keys, once uploaded?

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Atoll, Assigned: jeff)

Tracking

Details

(Reporter)

Description

3 years ago
We'd like to upload the SSL private key and cert for *.allizom.org to a Heroku instance on behalf of a user request.

Does Heroku implement this in a safe manner, such that once an SSL private key is uploaded, it cannot be downloaded by any admin?

Updated

3 years ago
Group: mozilla-employee-confidential
Component: Operations Security (OpSec): Investigation → Investigation
Product: mozilla.org → Enterprise Information Security
Version: other → unspecified

Updated

3 years ago
Group: mozilla-employee-confidential

Updated

3 years ago
See Also: → bug 1150824
Blocks: 1188108
Assignee: nobody → jbryner
Any update here?
Flags: needinfo?(jbryner)
Just heard back from Heroku. The ssl key actually ends up in an amazon ELB where it cannot be recovered. In addition they attest that no admin from Heroku has access to the private key before or after reaching the ELB.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(jbryner)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.