On November 20th at 0300 UTC (Nov. 19, 2200 EST), I'm going to be changing our SSL certificates for fogcreek.com, fogbugz.com, and kilnhg.com to be SHA256 instead of SHA128. If there is an upgrade scheduled that evening, this will occur immediately after the upgrade. For most people there will be no impact beyond securing your communications with us for additional years to come. For our Kiln On Demand customers, there's a small caveat that will impact a small portion of you. If you want to know the reasoning behind our choice and the background of the situation, read this whole post. If you are a Kiln On Demand customer and just want to know the nitty-gritty, skip down to the "How will this impact Kiln On Demand" below!
This also is not the last update you'll hear about this. We will post a reminder the week before, then perform our standard "1 business day" notice before the maintenance.
Got it! So, what are you doing? And why?
There are a ton of resources for understanding the current situation. My current favorite is Eric Mill's breakdown. If you want more in-depth technical details, start there.
Many of you have already heard that Google has decided to accelerate the demise of SHA-1 using little but their browser's popularity. Here's their schedule as it impacts us, in brief (all the "warnings" below apply to Chrome only):
- Starting this November, any SHA-1 certificates expiring in 2017 or beyond will display the SSL warning triangle
- In December, any SHA-1 certificates expiring after June 1, 2016 will display the warning
- In January 2015, any SHA-1 certificates expiring any time in 2016 will display the warning
It goes on from there, but we'll be long done with SHA-1 at Fog Creek before then. Astute readers will have observed that all three of our major certificates (wildcards for fogcreek.com, fogbugz.com, and kilnhg.com) expire in 2016. That means we need to re-key our certificates using a SHA-2 algorithm to prevent our customers from seeing those warning triangles. Let me make that reason clear in another way, just to avoid confusion:
We are re-keying our certificates for the sole purpose of making sure you, our dear customers, do not see a yellow triangle... because when you see that triangle, I feel embarrassed and self-conscious about the infrastructure I build.
We have no reason to believe that your data or connections to us are in any way unsafe (beyond the weakness of SHA-1 in the first place, which is what this is all about). This maintenance is all about my own self-confidence issues in regards to our customer experience.
How will this impact FogBugz On Demand and the Fog Creek websites?
It won't have any visible or performance impact. In fact, nobody should notice anything changed unless they go to examine the certificate. We still have additional testing to do in our staging environment, of course, but there's no reason for anything to change. Should our testing reveal something unexpected, we'll post to this blog with an update before the maintenance occurs.
How will this impact Kiln On Demand?
This requires the most testing in our staging environment, but there's a small wrinkle with Mercurial: It hates it when it doesn't receive the expected host fingerprint, and there are ways to manipulate Mercurial's expectations. Some customers may notice that, after the change, Mercurial will no longer interact with their repositories and provide an error about the host fingerprint. That's because the fingerprint of our certificate will have changed (because the key changed). Fortunately, it's relatively easy to fix and we wrote a short article on how to do it. Naturally, that fingerprint is going to change, but we'll update the article at the appropriate time, as well as provide the fingerprint on this blog. In theory (again, still testing), the only time you should end up seeing a problem is if you've previously made the changes indicated in that article.
It's understandable that trusting this status blog regarding that fingerprint would make some people queasy. Once the new fingerprint is released, feel free to contact us directly, by email or phone, to confirm it!
Wait, I have some questions!
Perfectly understandable. If you have any questions, technical or otherwise, about this maintenance, please don't hesitate to reach out to us.