Closed Bug 1191075 Opened 10 years ago Closed 9 years ago

Does Heroku permit admins to download SSL private keys, once uploaded?

Categories

(Enterprise Information Security Graveyard :: Investigation, task)

Product:
Enterprise Information Security Graveyard
Component:
Investigation
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: jeff)

References

Details

We'd like to upload the SSL private key and cert for *.allizom.org to a Heroku instance on behalf of a user request. Does Heroku implement this in a safe manner, such that once an SSL private key is uploaded, it cannot be downloaded by any admin?
Group: mozilla-employee-confidential
Component: Operations Security (OpSec): Investigation → Investigation
Product: mozilla.org → Enterprise Information Security
Version: other → unspecified
Group: mozilla-employee-confidential
See Also: → 1150824
Blocks: 1188108
Assignee: nobody → jbryner
Any update here?
Flags: needinfo?(jbryner)
Just heard back from Heroku. The ssl key actually ends up in an amazon ELB where it cannot be recovered. In addition they attest that no admin from Heroku has access to the private key before or after reaching the ELB.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jbryner)
Resolution: --- → FIXED
Product: Security Assurance → Enterprise Information Security Graveyard
You need to log in before you can comment on or make changes to this bug.