The Spring CMS Developer

Latest updates and thoughts

11 April 2014

SpringCMS and the Heartbleed bug

SpringCMS and the Heartbleed bug

Background

The Heartbleed Bug is a serious vulnerability in the SSL cryptographic software library used by the majority of websites around the world. This weakness allows stealing the information protected, under normal conditions, by the SSL encryption. SSL is used to make the connection between the visitors web browser and the server secure - so that any information transmitted can not be monitored and read.

How this affects Spring

Spring runs entirely on the Amazon Web Services (AWS) cloud computing platform.

All SSL connections are handled directly on the load balancers that distribute traffic across a pool of web servers.

While the web servers themselves were not at risk from the Heartbleed bug (primarily because we do not run SSL on those servers), Amazon have confirmed the load balancers were affected.

Not at Risk:

  • Editor login passwords for Spring were not in immediate risk, as we currently implement an additional method of hashing the password (hashing is a one-way form of encryption) before it is submitted over the internet on the login pages. This means passwords are never actually sent to our servers in a form that can be read easily either through SSL or non-SSL connections.
  • Spring implemented stricter password requirements over 2 years ago, which means if the hashed password was obtained through an exploitation of the Heartbleed bug, we believe it would currently be impractical to try and brute force decrypt the password
  • Credit Card details submitted via SSL encrypted forms when using DirectOne or SecurePay as the payment gateway

Possibly at Risk:

  • Personal details submitted via SSL encrypted forms (such as Billing or Shipping information)
  • Credit Card details submitted via SSL encrypted forms when using Eway as the payment gateway
  • If you were logged in as an editor, it may have been possible to obtain the temporary session key while editing, which could be used to piggy back off the current logged in session to edit the site.

Mitigation

Due to the speed in which the Heartbleed bug was mitigated, we believe it is highly unlikely that any Spring sites were effected:

  • We can confirm that on the 8/4/2014 all load balancers have been patched against the Heartbleed bug. View AWS Security Advisory.
  • As a precaution, all SSL certificates on all our load balancers have been rotated.
  • As a precaution, key internal developer passwords have been changed.

Further Information

For further information please contact support@millstream.com.au

12 May 2013

Twitter Timelines Support

Twitter Timelines Support

Late last year Twitter made drastic changes to it's Terms of Use and signalled that certain API's (how one application can talk to another) were being phased out.

This meant that the built in method of integrating Twitter 'feeds' into Spring sites would stop working.

We have officially retired our old plugins but have just released the new method of integrating Twitter Timelines into Spring.

We've created a help document detailing the steps with examples on how to implement on any site.

06 May 2013

Browser Usage

Browser Usage

The Browser market share has changed significantly over the last few years and we thought it would be interesting to share the current break down of access across all Spring CMS sites (approximately 1 million datapoints)

  • Internet Explorer: 36%
  • Safari: 35%
  • Chrome: 16%
  • Firefox: 11%
  • Other: 3%
  • Opera: 0%

It get's even more interesting when you realise that if you break the statistics down by platform - over 20% of all traffic is from an iOS (iPad and iPhone) device - and it's increasing at an incredible rate.

02 May 2013

Browser Window Titles

Spring has always provided full access to editing Browser Window TItles, but we've recently added a few time saving new additions.

We've added support for Browser Window Title Suffixes and Prefixes - allowing you to create a new 'Asset' and set the appropriate suffix or prefix for all pages on your site.

Additionally, you can now have a pages Browser Window Title contain the Browser Window Title of it's parent folder.

To explain using the new features, with examples we have created a new help document.

28 February 2013

Goodbye prototype.js, hello jQuery

Goodbye prototype.js, hello jQuery

Up until now we have utilised the prototype.js library through out the backend of Spring and on client websites.

This library provides a scripting framework that allows us to build features such as the lightview popups, slideshows and field validation.

So why the change?

Over time the jQuery language has flourished and support has expanded, while use of prototype.js has diminished. Simply put, by moving to jQuery we have a much larger range of ready built plugins that we can implement in Spring and on client sites.

In September last year we started testing jQuery equivilents of the core plugins we use on many client sites, and the results were extremely positive.

So it's official, any new sites will utilise jQuery from now on, and we'll be announcing some new core plugins within the next few months which we hope will create lots of new design opportunities.

28 February 2013

Editor Updates

Editor Updates

With the migration to jQuery in progress we took the opportunity to update and improve the Page editing interface.

While currently it looks identical at first glance, we've made some significant changes under the hood which will provide some great new features shortly.

In the meantime, there are a few long-requested new improvements and bug fixes available now:

  1. [NEW] When uploading a new image, you no longer need to save the page to update the 'Thumbnail' dropdown menu.
  2. [FIX] If you replace a previously updated image, the new thumbnail is updated immediatly.
  3. [NEW] If you replace an attachment, we highlight the updated attachment briefly
  4. [NEW] In Safari, Chrome, Firefox, Opera and IE10 - you can now upload multiple attachments at the same time. Simply select more than one attachment when uploading!
  5. [NEW] In Safari, Chrome, Firefox, Opera and IE10 - you now get an upload progress bar for each attachment while it's uploading.
  6. [NEW] New and improved data/time picker
  7. [NEW] Color picker

12 November 2012

Fonts.com webfont support

Fonts.com webfont support

SpringCMS now fully supports 20,000 new webfonts from http://www.fonts.com in addition to our existing TypeKit support.

From the fonts.com website:

With typefaces drawn from our renowned Monotype®, Linotype® and ITC® collections as well as other leading foundries, you'll find many of the most celebrated designs including Helvetica®, Frutiger®,Univers®, ITC Franklin Gothic™, ITC Avant Garde®, Rotis®, Neo® Sans and many other standout designs not available anywhere else.

You can search and preview the fonts online.

Additionally, Millstream have a fonts.com account so you can simply specify the webfont you wish to use in your design and we will implement it when building the site for no additional charge - or you can sign up for a paid subscription directly with fonts.com and use that with Spring.

12 November 2012

Peak Load

Peak Load

At times we have had issues coping with 'Peak Load' periods where Spring receives significant traffic spikes causing database load issues and outages for 5 to 10 minutes.

We would try and cope with these massive spikes through a combination of refinements to Spring, increased cacheing and throwing more resources at Spring.

Over time the peaks have become more frequent and significantly larger. 6 months ago we scaled Spring to cope with 8x traffic peaks, 3 months ago 12x and less than 2 months ago we scaled Spring to cope with 16x traffic spikes.

3 weeks ago we received a 28x times normal traffic level spike - approximately 500 page request per second requiring our database system to start throttling requests causing pages to stop loading.

This meant a rethink on how to cope with such traffic, and the solution we think was to re-architect the entire caching and database system.

We have spun off our user session databases to a dedicated high-speed scalable database system running on solid state drives (DynamoDB). This system has significantly higher peak capacity than our main database server, is optimised to be very low latency.

We have also introduced 2 new dedicated caching servers (running Memcached) which I have written about below.

With these changes we are quitely confident we'll be able to cope with the next significant traffic spike and beyond.

12 November 2012

Cache Servers

We have recently added 2 new cacheing servers to Spring CMS and upgraded Spring to take advantage of the significant performance improvements they provide (replacing our own home-grown caching system).

With this addition, we have also refined the rules on what, how long and when to cache pages.

The new rules are as follows:

  1. Spring will cache any page server side for 10-20 minutes.
  2. If a page is modified or saved within that period, Spring will generate and re-cache the page when next viewed.
  3. If you view a page while logged in as an editor, Spring will generate and re-cache the page every time you view it ensuring you are seeing the latest version of the page.

12 November 2012

Twitter

Due to changes in the Twitter API, all embedded Twitter feeds on sites are currently not working until further notice.

We are working on a solution, but it requires swapping to a new API which is a non-trivial amount of work.

Additionally, due to changes in the Twitter terms of service, on-going support of embedded Twitter streams in pages is uncertain. We'll keep you updated once we know more.

We have started this blog to keep you up-to-date with the constant changes and improvements with Spring CMS.