Skip to main content

Certificates Hell - How you can kill all your clients

Certificates, a lot of times I saw applications in production were down because of them. From big companies to small companies, each one had a lot of problems because of certificates. I would name this problems – Certificates Hell. Each problem that appeared because of them was caused by people or by a wrong process.
In this post I will tell you a short story on how you can make over 10.000+ clients unhappy. In a web application or a client/server application you need to use secure connection and of course certificates. The application contains a backend that is pretty complicated and more web applications. Additionally to this, there are also some native applications on iPhone, iPad, Android and Windows Phone. 
They are in production for about 5 years. In this period of time the web application changed, they started to create different native applications for mobile devices. Each native application contains also some certificates used to authenticate users and establish secure connection. 
 Everything was great until they decided to update their root certificate used by native applications. Guess what happened? All their mobile applications were down, none of their clients could use the mobile application anymore. 
Because they’ve updated the servers’ certificates, all their clients that had “hardcoded” the client certificates were down. All the certificates made from that application were refused by servers.
The solution for their problem was to push a new update for mobile applications. Of course updating a mobile application requires 1, 2 days - to reach to the clients. In all this period of time they had a lot of complains.
What they’ve done wrong? Two things.
Hardcoding the client certificates into the mobile application and change the server certificates without taking into account all the dependencies.
They had to learn it in the hard-way, like other big companies. 

Comments

  1. Was that Microsoft? :-)

    http://www.forbes.com/sites/timworstall/2013/02/23/ridiculous-microsofts-azure-fails-over-unrenewed-security-certificate/

    ReplyDelete
    Replies
    1. No. Was another big company. The name is not important.

      Delete

Post a Comment

Popular posts from this blog

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine:
threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration:

TeamCity.NET 4.51EF 6.0.2VS2013
It seems that there …

How to check in AngularJS if a service was register or not

There are cases when you need to check in a service or a controller was register in AngularJS.
For example a valid use case is when you have the same implementation running on multiple application. In this case, you may want to intercept the HTTP provider and add a custom step there. This step don’t needs to run on all the application, only in the one where the service exist and register.
A solution for this case would be to have a flag in the configuration that specify this. In the core you would have an IF that would check the value of this flag.
Another solution is to check if a specific service was register in AngularJS or not. If the service was register that you would execute your own logic.
To check if a service was register or not in AngularJS container you need to call the ‘has’ method of ‘inhector’. It will return TRUE if the service was register.
if ($injector.has('httpInterceptorService')) { $httpProvider.interceptors.push('httpInterceptorService&#…

Fundamental Books of a Software Engineer (version 2018)

More then six years ago I wrote a blog post about fundamental books that any software engineer (developer) should read. Now it is an excellent time to update this list with new entries.

There are 5 different categories of books, that represent the recommended path. For example, you start with Coding books, after that, you read books about Programming, Design and so on.
There are some books about C++ that I recommend not because you shall know C++, only because the concepts that you can learn from it.

Coding

Writing solid codeCode completeProgramming Pearls, more programming pearls(recommended)[NEW] Introduction to Algorithms

Programming

Refactoring (M. Fowler)Pragmatic ProgrammerClean code[NEW] Software Engineering: A Practitioner's Approach[NEW] The Mythical Man-Month[NEW] The Art of Computer Programming

Design

Applying UML and Patterns (GRASP patterns)C++ coding standards (Sutter, Alexandrescu)The C++ programming language (Stroustrup, Part IV)Object-oriented programming (Peter Coad)P…