Last week a certain new Firefox extension made headlines by making it trivial to hijack sessions over wireless networks, and easily access unsuspecting users’ accounts on a long list of major social networking and other websites. Pivotal Tracker had the dubious honor of being on that list.

The plugin author’s intent was to raise awareness of the insecure nature of wireless networks, and encourage websites to increase the use of secure (SSL) sessions, which encrypt transmission of data and prevent network sniffing and session hijacking.

Today, most sites use SSL for sign-in, and selected pages that handle sensitive information, but SSL is generally not enabled (or available) site wide. What this means is that after you sign in to Facebook, as soon as you visit any Facebook page that isn’t SSL enabled (for example, your private messages page), your session cookie becomes exposed, and allows a hacker (or just any bored person with Firefox at your local coffee shop) to gain full access to your Facebook account.

The recommended solution is for sites to enable SSL for all pages, from sign-in to sign-out.

As of this morning’s update, this is now the default in Tracker. After signing in, you should notice that every page is served via SSL (https:// prefix in the URL). If you never access Tracker on shared networks, however, and would prefer to turn this off, you can do that on the My Profile page by un-checking the ‘Always Use HTTPS’ option.

In addition, you can enable the ‘Always Use HTTPS’ option for specific projects, which will force SSL for every member of the project who visits the project, even if they’ve disabled the HTTPS option on their profile.

We have also added a secondary secure session cookie to prevent your session from being hijacked if you accidentally end up on a non-HTTPS page while signed in (via a bookmark, for example). This approach is similar to what Github describes in their blog post about the problem and their solution.

Note: As part of this change, we’ve had to remove the ‘remember me’ functionality, so you will have to sign in again after you close your browser. We’ll add a more secure version of this feature back to Tracker in the next update, later this week.

The last 2 1/2 years have been exciting for Pivotal Tracker. It’s grown from an internal tool we at Pivotal Labs occasionally shared with clients and friends to a mainstay of the Ruby, Rails and Agile worlds. Over this period, Engine Yard has provided us with their top-tier private cloud hosting, free of charge, as a service to the community. For this we are extremely grateful, and we hope our users share our gratitude for their generosity, in this and in so much else in the Ruby on Rails ecosystem.

As we’ve grown, Tracker has become a mission-critical system not just for us, but for over 140,000 developers, entrepreneurs, product owners, and enterprise clients on over 100,000 projects. The application handles over 50,000 requests per minute now, with peaks above 1,400 requests per second.

To support this level of usage, we’ve increased our level of investment in Pivotal Tracker on a number of fronts. So far, many of the changes have been invisible to our users: we’ve allocated more resources to Tracker development, and increasingly to Tracker operational support. We’ve also evaluated our hosting needs, including factors such as performance, level of control, and reliability. We’ve considered a number of options, and have chosen a hybrid solution made up of dedicated hardware for our database tier and private cloud for application servers. We think this option will provide the right level of control for our team, and provide the best overall performance and scaling capability.

What does this mean for you?

Specifically, it means that there is a migration coming up. We’re planning to cut over to the new hosting environment next Saturday, November 6th, starting at 8:00am PDT. Tracker will be unavailable during this migration, in a planned outage not to exceed 6 hours. We chose this time to minimize downtime during business hours for our customers in 158 countries worldwide. We don’t actually expect the move to take this long, but since it’s a big move, we want to make sure everything is working correctly before bringing things back up.

Pivotal Tracker will be moving to new IP addresses, so if you have any firewall rules or third party integrations that depend on this information, you will need to update them. We will be publishing the new IP addresses within the next few days, prior to the actual migration.

We’ve set the DNS TTL low leading up to the migration, so we don’t anticipate significant DNS propagation delays. If you are in a place where DNS changes take longer to propagate, however, please keep an eye out for this. We’ll help you with workarounds if the issue persists.

Thanks again to Engine Yard for all their great support. We continue to appreciate all they’re doing for the larger Rails community, and the huge investment they’ve made to support Pivotal Tracker. Tracker wouldn’t be what it is today without them.

Tracker should be fully back to normal as of early afternoon today. Please let us know if you are still experiencing any unusual slowness or connectivity issues.

Our apologies for not being able to access your projects this morning. We continue to investigate, and are waiting for our hosting provider to provide more information about the cause of the outage.

Our apologies for the site outage this morning. We’re working with our hosting provider to bring Tracker back up ASAP, and are investigating the cause.

For most current updates on the outage, please follow @pivotaltracker.