Closed Bug 1434990 Opened 7 years ago Closed 7 years ago

[Meta] Ensure all Heroku apps using Postgres are using SSL prior to Feb/March breaking change

Categories

(mozilla.org :: Heroku: Administration, task)

Product:
mozilla.org
Component:
Heroku: Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emorley, Assigned: emorley)

References

Details

(Keywords: meta)

This email was sent to all Heroku admins (but individual app members won't have seen it): """ Dear Heroku Customer, Since 2016, all newly-provisioned Heroku Postgres databases have enforced the use of SSL to keep your data safe. However, one or more of your Postgres databases are running on legacy infrastructure, which does not enforce the use of SSL. In order to update your database to our security standards, and in response to potential impacts caused by Spectre and Meltdown, all databases - including those on legacy infrastructure - will be moved to our new Heroku PGX plans in a set of maintenances starting in March 2018 and concluding by April 2018. What Do I Need to Do In preparation for these maintenances, please check that your applications are using SSL to connect to your Postgres database and enable SSL connections if needed. Instructions on how to perform these steps are available in Dev Center. These are your databases that do not currently have SSL enabled: postgresql-amorphous-8154 (standard-0) on pulseguardian; rolling-carefully-5193 (standard-0) on mozilla-pontoon What's Next As an additional measure, we will temporarily enforce SSL on your databases in a series of “brownouts” to help you detect any applications that are connecting to your databases without using SSL. If you have enabled SSL prior to these brownouts, you will not be affected. If you have not, you will experience database connection errors during those brownouts. We will contact you if we see any errors from your database during those brownouts. Those brownouts will be held on: * February 14, for a total duration of 10 minutes per database, between 5 PM and 9 PM UTC * February 21, for a total duration of 30 minutes per database, between 5 PM and 9 PM UTC * February 28, for a total duration of 1 hour per database, between 5 PM and 9 PM UTC By April 2018, all legacy Postgres databases will have been migrated to PGX infrastructure, regardless of whether SSL has been enabled or not. If your app does not enforce SSL for database connections prior to our March 2018 maintenances, it will break. """ More info here: https://devcenter.heroku.com/articles/heroku-postgres-ssl-brownouts To the people needinfoed, please file bugs blocking this one to take the steps mentioned above - thank you!
Flags: needinfo?(mcote)
Flags: needinfo?(m)
Depends on: 1435010
Thanks for the ping, bug filed.
Flags: needinfo?(m)
6 days until the first brownout: https://status.heroku.com/incidents/1397
Depends on: 1436899
Filed.
Flags: needinfo?(mcote)
The scheduled brownout of legacy Heroku Postgres databases is now under-way: https://status.heroku.com/incidents/1397 From the linked page: "Please note that although the window for these brownouts will last 4 hours, it will only last for a total of 10 minutes per database."
Looks like both apps survived the brownout, and the only changes needed are those to switch sslmode from `prefer` to `require` to prevent downgrade attacks (but that's orthogonal).
Assignee: nobody → emorley
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.