Conversations about life & privacy in the digital age

More fun with SSL certificate verification failures

Some of you who tried to access spideroak.com a couple hours ago may have noticed a security warning from your browser complaining about an invalid certificate.

Whoops.

No, we didn’t forget to change the storage certificates again. In fact, the new certificate was purchased back in April.

Turns out there was some fun to be had with our new SSL certificate. (SSL is the mechanism that browsers use to encrypt your connection to the server, giving you the nice padlock icon so that you know websites like SpiderOak.com are secure.)

Geotrust changed their certificate roots due to some weaknesses in the old one, which meant that there was not only a new root, but also a new intermediate RapidSSL certificate thrown in for good measure. (The root is the certificate that browsers use to verify that all certificates are genuine. The intermediate certificate establishes a chain of certificates from the root to the certificate used by an individual website.)

This took me a few minutes to figure out, but once I got the extra intermediate certificate thrown in there, the website was happy.

Unfortunately there was another problem: the SpiderOak client didn’t know about the new certificate root. This would have affected anyone who was trying to complete their first signup or create a new device in the SpiderOak client.

The core of the problem is that by default, Python, the language that SpiderOak is mostly written in, does not verify SSL certificates at all, so we were forced to roll our own verification routines. We whipped up our own system that simply packaged the certificates in the client itself, which was better anyway because it didn’t rely on sometimes broken external SSL certificate chains. Today’s problem is the obvious downside. Our developers responded quickly and pushed out new builds with the updated certificate in about an hour.

So if you’ve had problems signing up, we’re sorry. We screwed up. Please download the latest version and try it again. I’ll be over here taking my due flogging.

TL;DR: All your existing backups, syncs, devices, shares, and everything else are fine. The next time you add a new device to your SpiderOak account, you’ll need to download the latest version of SpiderOak.

Update: If you tried to sign up during this time, you should be receiving an email from us shortly, along with an extra gigabyte of free storage to show our appreciation for your patience.

Update 2: It turns out that some older Android phones (older than Android 2.3) don’t include the newer CA roots! (Although, the original iPhone from 2007 does have those roots included via OS updates, and some Android vendors seem to include them also, so it is somewhat unpredictable whether a given phone has them.)

So, we’ve had to add an intermediate certificate to spideroak.com for older Android compatibility. We’ve published the desktop client revision 9830 which also recognizes this additional certificate. Once again, all existing devices, backups, syncs, etc. are fine. You’ll need the newest SpiderOak the next time you add a new device to your account (which is generally the best practice anyway.) -Alan

Comments

  1. Paul @ SO says:

    Outages suck, but good work on getting everything straightened out so quickly.

  2. Roger says:

    I still get the SSL error with the windows version of the program in your download link.

  3. Wessel says:

    I'm also still getting the error in windows.

  4. Amanda says:

    I'm still getting the error in windows too.

  5. codedmind says:

    same problem here!
    Ubuntu 11.04 64 bits

  6. GS says:

    getting the SSL error still with Windows download…

  7. Danton says:

    Still getting the cert error with the macOS Leopard app :(

  8. Pedro Silva says:

    The software version for download still is 4.0.9829… according to the changelog the correct version should be 4.0.9898.

    We are still getting the ssl error :)

  9. EM says:

    =( yes, me too, tried with both win 7 and win XP

  10. Amanda says:

    Tried with my Ubuntu laptop and same error. Software version still 4.0.9829

  11. Erik says:

    Just signed up and cant verify my account. Get this error: Server error: [('SSL routines','SSL3_GET_SERVER_CERTIFICATE', 'certificate verified faild')]

  12. Kristjan says:

    ^ same here

  13. Joe says:

    Same here, desktop app still not working, can't set up for the first time. Is anyone working on this?!?!?!

  14. Rpcalabria says:

    Tried 9829 in both windows and Mac. Still not working.

  15. Rpcalabria says:

    Tried again in Mac. Works now. Thanks.

  16. Wessel says:

    New download solved the issue. It works now.

  17. Axel says:

    Tried several times today until I checked the blog… would have been nice to get an email to let me know :-) No email with free space as yet though. Currently evaluating S'Oak as an alternative to Dropbox, which I've been using for years now… Communication is vital folks! Don't make the same mistake DB made.

  18. Ryan says:

    Thanks for making the update so quickly. I'm set up with an account now, and I'm glad I switched from Dropbox already. Zero-knowledge is definitely the way to go.

  19. Daniel @ SpiderOak says:

    @Axel,
    We are very sorry. I did send out emails to what we believed was all affected users, must have missed you somehow.

    Best,
    Daniel @ SpiderOak

  20. Alex Travek says:

    I always think back to China recording it's citizens Gmail login info. using forged certificates. I understand this wasn't the case, but I'm always afraid it's a man-in-the-middle attack now.

  21. Dave says:

    Looks like you're still having issues as of early July 10. Would have been nice if there were mentioned somewhere a little prominent. I just spent I don't know how many hours trying to figure out why my client stopped uploading and went so far as to delete my .spideroak directory on one client just so I could get it to do SOMETHING. Well after I did that, it reverted to having me sign in like it was the first time and that's when it puked out a SSL error (when it goes to get the captcha).

  22. Matt says:

    You should really consider switching CA vendors. The company that I worked for previously was paying over $50,000/year for certificates and we got pretty poor support for that money. GeoTrust has a way of making changes without informing their customers, and even many of their own engineers. The switch in the root/intermediate CAs was one example, as it broke many of our older clients and required a lot of work to remedy.

    The final straw came when they switched the way they encoded some of the fields in their certificates (again without telling us or any of their L1/L2 support), and thereby breaking some of our most important proxy servers. After many hours of troubleshooting to figure out why the new certs wouldn't work and many more hours finding an engineer on their side who even had a clue what I was talking about, I convinced my company that it was time to switch to DigiCert. That switch cut our bill by 90% and we get much better service and communication from them. Just a thought…

  23. Rusty says:

    Hey, I am getting this error on a clients system. has it been fixed or are such issues still being faced by customers???