Pagoda Box & the OpenSSL Heartbleed Vulnerability

Earlier this week, news of a vulnerability of the widely used OpenSSL library rattled nerves of developers and web hosts around the world. The Heartbleed bug, aka CVE-2014-0160, allows the stealing of “information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”1.

Pagoda Box users can take a sigh of relief. All apps are protected from the Heartbleed vulnerability.

Apps on Pagoda Box are Not Vulnerable

The Heartbleed bug stems from OpenSSL’s implementation of the TLS/DTLS Heartbeat extension. Heartbeat is basically keep-alive functionality in the SSL handshake process that reduces the overhead of TLS negotiation.

While OpenSSL is used on Pagoda Box, it is only used for doing the heavy lifting of encrypting data. The SSL handshake and heartbeat are implemented in Erlang. All SSL connections with Erlang are safe from buffer overflow attacks like the Heartbleed vulnerability.

No specific actions need to be taken for apps on Pagoda Box, however, we do recommend checking with other services or service providers you may be using to see if they are susceptible to the vulnerability. They may suggest things you can do to make sure your information is secure.


Hosting Facebook Apps on Pagoda Box

Many Facebook apps and promotions are designed to pull in traffic quickly, service users for a relatively short amount of time, then either ramp down or completely go away. Pagoda Box is perfect for these types of apps, providing functionality necessary to quickly ramp up to handle traffic, then scale back down when demand goes away. This post walks through what you need to know to get started hosting Facebook apps on Pagoda Box.

Continue reading

Shared Writable Storage Interruption

Earlier today, at approximately 2:00 AM MDT (8:00 UTC) there was an interruption in our writable storage cluster that affected some app’s ability to access certain files within shared writable directories.

Continue reading

MacMagazine Scales to Cover Apple’s Keynote Address strives to be the best Apple-related site in the Portuguese language, covering everything in the Apple world (Mac, iPhone, iPad, iPod, OS X, iOS, iTunes, etc.). Launched in 2002, the site has been hosted on Pagoda Box since November 2012, and averages 300 – 450 active users on the site at any given time.

During coverage of Apple’s recent WWDC keynote address, MacMagazine used multiple Pagoda Box features to troubleshoot, update and scale their application on the fly. The quick adjustments help them to reach and sustain what was likely their all-time high of ~2,100 concurrent users (this is still being confirmed).

This post is an overview of their site, a timeline of the issues they faced, and the tools they used to scale their site for 5X their typical traffic. It’s not a perfect story, but it highlights how to assess performance and scale on Pagoda Box.

Continue reading

More Information About the Pagoda Box App URL Change

On Monday, June 10, we will begin the process of changing Pagoda Box app URLs from “” to “” We’ve outlined the transition process below to help allay concerns about possible affects on application uptime and ease any transition pains.

Continue reading

Updated Streaming Logs

To provide added visibility into your apps, we’re announcing the release of updated application logging on Pagoda Box. Logs are now streamed through the Pagoda Terminal Client and may be enabled or disabled through the Boxfile.

Previously, logs were located in the logs directory inside shared writable storage. Those historic logs will remain in place until June 10th, when they will be removed from writable storage. As of today, application logs will be stored in the Pagoda Box system for a 24-hour period. You may access or stream these application logs using the “pagoda log” command in the Terminal Client. Users are no longer required to use ssh, then cat or tail logs, or to download the entire log file via SFTP to view it.

Continue reading