Version 2 of this post, published Mon 18 October, 2021:
Crisis averted! We’ve fixed the really big problem by creating a DNS-level with an alternate encryption certificate already living on the Raspberry Pi inside our Boxes. So, it’s the kind of fix people who haven’t read any of this will even have noticed.
And here’s a gentle reminder to do an update of your Boxes from time to time so you can keep up to date with improvements we’re making to the software. Version 1.2 is coming up, which will have improvements to the way the Box reports boops to include the ones that happen when your Box isn’t on WiFi. Once you do updates after your Box is on V1.2, any offline boops will get sent back to HQ for inclusion in the boop log.
Version 1 of this post, published Wed 13 October, 2021:
Something has changed in a third-party service that’s affected all our Boxes which use a protocol called HTTPS to securely connect to Heart, our web platform. We’re sorry to report that a ‘root certificate’ that ensures this secure HTTPS connection has expired. This means Boxes out in the world cannot currently connect to Heart and therefore cannot get updates to collections or write stickers. Any content already loaded on Boxes will work without issue.
This is obviously very bad and we’re working on what we can do about it. (This is in addition to waiting for the global chip shortage to sort itself out so we can get on with Batch No. 3.)
- HTTPS – Wikipedia says “Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet.”
- Heart – this is the name of our in-house web platform where you can see collections, boxes, and boops. Anyone with a Museum in a Box can create an account on Heart to manage their Boxes and collections.
- Root certificate – Wikipedia says “In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA).”
- “Let’s Encrypt” – is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).
How does a Box use HTTPS?
Most websites these days use HTTPS to make sure all the traffic between your computer and the website is encrypted and secure. Your Museum in a Box is no different, so whenever it has to talk to our Heart platform it uses the same approach.
This encryption is done by both sides—the Box and Heart—agreeing on a set of secret keys each time the Box needs to connect to Heart. They use the agreed-upon keys to encrypt messages back and forth, so anyone who manages to intercept the messages won’t understand them.
There’s a second level of protection called certificates. Certificates are needed because there’s a chance that even as the Box is carefully encrypting messages for Heart using HTTPS they could still be decoded by someone impersonating Heart. To prevent this impersonator service reading messages, HTTPS adds certificates, which are digitally signed by a trusted third-party to verify a website is who it says it is. The Box uses the certificate to see that it really is talking to Heart before it shares any keys.
Who is the “trusted third-party?” Our certificates are signed by Let’s Encrypt. In turn, their certificates are signed by Digital Signature Trust. The certificate that Digital Signature Trust used to sign those is called a “root certificate”, because it’s at the end of the chain. The root certificates are ones that your web browser or operating system chose to trust and were installed at the same time as the software.
How do encryption certificates work?
Certificates have two parts:
- a public part, which is what we’ve been talking about so far and can be shared with anyone and everyone; and
- a private part, which is used in the signing process and must be kept safe on the website and not shared with anyone.
Given there’s a chance that the private part of a certificate might get leaked or stolen certificates also have an expiry date. That means that any compromised certificates will only cause problems until they run out.
Normal website certificates tend to have quite short lifespans. The Let’s Encrypt certificates that we use for Heart, for example, only last three months.
Root certificates tend to have much longer life spans because updating them is harder—the replacement certificates need to be shared to all the computers that might connect to the website, or, in our case, all the Boxes. These root certificates do expire, and the root certificate that signs all the Let’s Encrypt certificates we use expired at the end of September 2021.
How does this affect anyone with a Box?
Until we get a fix in place, all the Boxes out in the world will refuse to talk to Heart. That means it isn’t possible to write new stickers, or add or update any of the content on the Box. Any content already on a Box or stickers already written will continue to work just fine.
This is obviously very bad.
We’re working on a fix for the problem and will post updates here and probably on Twitter. In the meantime, if you have any questions, do please get in touch. Here’s an invitation link to join our Slack and there’s a channel in there called #get-help we’ll be updating in, or you’re welcome to email us at firstname.lastname@example.org if you prefer.