On April 12th, we received confidential details of a security vulnerability that could allow someone to sign in as an arbitrary Ning user. The intent was not malicious, and to our knowledge and reasonable belief, there has been no unauthorized access to user accounts. The Ning engineering team immediately took several steps: We changed the encryption information to generate a sign-in cookie, and we changed where the information was stored. In addition, we proactively strengthened the encryption algorithm. The changes were then immediately rolled out across the Ning platform starting late last week. Ning Creators and their members may have noticed the protective measures when we forced all users to sign-in again. At this time, we are confident that we have addressed the vulnerability.
The Ning infrastructure runs all Ning Networks. It consists of thousands of machines with software that scales to millions of users. We have consistently delivered high uptime with our platform. As the usage characteristics change, the behavior of our infrastructure changes as well. We keep working on a number of projects that are designed to evolve our infrastructure and make the platform even more stable. As I promised last week, I wanted to provide details of the infrastructure projects we are currently working on. They’re not visible to Network Creators and are all low-level “plumbing” work, but they will enable higher uptime for all Ning Networks.
We have always prided ourselves on our uptime record. In March, we had 99.999% uptime. However, Ning Networks experienced slowness last week and brief downtime on Thursday evening. I wanted to take a few moments to walk you through what happened last week and what we’re working on to improve on situations like this going forward.
Keeping your Ning Network available for visitors, members and content posting is our top priority. When we looked at how we were measuring the availability of the Ning Platform at the beginning of the year, we realized that we needed to update how we measured the Ning Platform’s availability. We finalized a plan for measuring our uptime in Feb. and put it into action in March. From here on out, we’ll post regular, monthly updates of how we’re doing at keeping your Ning Network online and speedy.
We’ve already released our first big feature of 2010, but before we look too far into what’s coming up, I wanted to take a minute to go over our availability metrics for all of 2009. As I mentioned in November, in July we were able to address the issues causing instability in June, and make fixing them an immediate priority.