Hello
The short version: Flying Sphinx servers are no longer vulnerable to the Heartbleed OpenSSL exploit (as of mid-last week), and API credentials are being re-issued automatically.
The detailed version:
As you've very likely heard, the Hearbleed exploit for OpenSSL has had a significant impact on the majority of Internet sites and services. I just want to let you know how this has been addressed with Flying Sphinx.
Firstly, all Sphinx servers have had OpenSSL updated to 1.0.1g last week. Once that was done and the hosting provider for the central API (Heroku) had addressed the issue within their infrastructure, all SSL certificates were then reissued with new private keys and CSRs, and database credentials were cycled as well.
Over the last few days, I've been putting in place the necessary pieces to re-issue Flying Sphinx API credentials (the FLYING_SPHINX_IDENTIFIER
and FLYING_SPHINX_API_KEY
environment variables you'll spot in your Heroku apps' configuration). While the odds of some nefarious black-hat coder not only obtaining these credentials but then going to the effort of mucking about with Sphinx's protocols to make use of them is slim, I don't want to take any chances with your data.
I'm now in the process of re-issuing new credentials for all apps - and you likely will not notice anything. Your app processes will restart with the new details, and everything will hum along as expected. Updates about this will be posted to Twitter.
However, we all know technology doesn't always go to plan - if you do notice any errors related to Sphinx persisting for more than a minute, run the rebuild task. If that doesn't fix things, please reply to this email and let me know.
I hope life is treating you well, and you haven't had too many headaches of your own due to Heartbleed.
Pat Allan
Flying Sphinx