SSLv3 Vulnerability Addressed

October 17th, 2014

Last month a vulnerability was discovered for SSLv3 by the name of POODLE (Padding Oracle On Downgraded Legacy Encryption) allowing man-in-the-middle attackers to view encrypted information in plain text. With that said, SSLv3 is no longer secure and we have removed this protocol from our servers in favor of TLS.

For most of you, this will be completely transparent, however there are still some SVN clients which rely on SSLv3 for encryption during communication with remote repositories. Unfortunately, these clients will not be able to interact with our servers over https and attempts to do so will now likely result in an SSL handshake error.

If you have been experiencing this issue recently, please be sure to update your client to the latest version. Upgrading has solved the issue for most of our customers experiencing this. If upgrading your client does not work for you, feel free to contact us at Support so we can assist you further.

We hope to see SVN clients that rely solely on SSLv3 get updated to support TLS in the near future.

More technical details on the POODLE vulnerability can be found here: https://www.openssl.org/~bodo/ssl-poodle.pdf

Today we're happy to announce that we've enabled two-factor authentication for all web access to Unfuddle accounts!

Two-factor authentication adds a strong layer of security to accounts by requiring not just a username and password, but also an additional code which is tied to a device you have in your possession, typically a mobile device, such as a smartphone. This means that, once enabled, in order to sign in to you will need to provide both your username and password AND have your device with you in your possession.

Setting up two-factor authentication in your Unfuddle account

Next time you sign in to your account, you will be prompted to enable two-factor authentication for your user account. If you choose to continue with the setup, you will be guided through the necessary steps. You do not have to turn on two-factor authentication for your account, but we highly recommend that you do in order to increase the security of your data. When you are ready to do so, you can turn it on in your personal settings.

Signing in with two-factor authentication

We've chosen to use a service called Authy to do the heavy lifting here. In order to use two-factor authentication with your Unfuddle account you will need to install the Authy app on your device. This app will generate the code you will enter along with your username and password when accessing your account. Don't worry, we walk you through the entire process when you begin setting up two-factor authentication in your personal settings.

Signing in with two-factor authentication

Once you've entered your username and password, you will be prompted to enter an additional code.

Signing in with two-factor authentication

This code is generated by the Authy app as mentioned above. You will have a certain amount of time to enter and submit the code before it is invalidated and a new code is generated by the app. Once you've entered the correct code, you will be logged in to your account.

For more help on setting up two-factor authentication for your account, please follow the instructions during the setup process, or contact Unfuddle support.

We hope you enjoy the added security and the increased peace-of-mind it brings!

Notice: SSL Heartbleed Bug

April 9th, 2014

On Monday, April 7th, a serious vulnerability in the OpenSSL cryptographic software library, known as Heartbleed, was publicly disclosed. OpenSSL is a very popular library used for providing secure and private communication for services such as websites, email, virtual private networks and more. This includes most communication with Unfuddle and similar services.

The bug essentially allows an attacker the ability to access parts of a vulnerable system's memory compromising the keys used to identify the service providers and encrypt communications. An attacker who obtained the private keys would potentially be able to eavesdrop on these communications and steal data or impersonate other users.

How We Are Handling This

There is no indication that Unfuddle servers have been attacked via this vulnerability. However, in response, we moved quickly to address any risk to our service:

  1. We have upgraded OpenSSL on our servers to a new version which is not affected by the Heartbleed bug.
  2. We have removed our old SSL keys and created new SSL keys on our systems.

What You Can Do

Again, there has been no indication that such an attack was carried out against Unfuddle. If you wish to be cautious, we recommend taking the following steps in your existing Unfuddle accounts:

  1. Change your password.
  2. Reset your account access keys. These are the keys used to access certain parts of your account via RSS. This can be done by an admin from within your account settings.

The security of your Unfuddle accounts is a top priority for us. We will continue to monitor our systems and be sure to immediately address any other issues which may come to light.

Good News

Our Unfuddle Alchemy project represented a complete rethink of how Unfuddle could help software teams work better. Through the feedback received, we have learned an enormous amount about how to help our customers better manage software projects. However, rather than continuing on as a standalone product, we have decided to integrate the best of Alchemy directly into the existing Unfuddle service.

We want to be clear that we consider Alchemy to be a great success! And this is good news for a number of reasons. First, Unfuddle is getting some really great functionality brought in. And second, we are no longer splitting time and energy working on two products at the same time. Instead, all our energy is going into making sure your existing Unfuddle account is helping you and your team become increasingly more productive. Also, as you might guess, this means we will not be accepting any more requests for invitation into the beta.

Custom Statuses and Task Boards

We’ve already introduced custom ticket statuses, the first of the Alchemy features to make its way over. And now we’re excited to let you know that the second feature of Alchemy has now made it’s debut in Unfuddle: Task boards. We like to call them schedules and accordingly, you’ll find them under the Schedules tab.

Screenshot of the task board schedules

The regular ticket reports that you’re used to aren’t going anywhere,however, for those on the Compact plan or higher, custom statuses and schedules introduce some great new ways to plan and track progress throughout your team’s development cycle.

Updates to Milestones and Schedules

Speaking of the Schedules tab, we’ve begun making some much needed updates there as well. How many times have you had to change the date on a milestone because it represents an ongoing process rather than a specific time-bound goal? Well, now it is possible to create milestones which have no due date.

Screenshot of the ongoing milestones in the schedules tab

As you can see, we’ve also updated the layout a bit to make it easier to scan the list of milestones. And you’ll notice the page is much easier on the eyes with less glaring color and friendlier notification of lateness. In all, we feel this is the first step in making this view of project milestones much more useful.

Give Them a Try

We hope you give schedules a try. If you do not already have an Unfuddle account, you can sign up for a free 30-day trial at https://unfuddle.com/signup. If you do already have an account, regardless of plan, we have made schedules available to you for free for the next 30 days so you can experience just how valuable this new tool will be.

We hope you will enjoy these tools coming to Unfuddle. As always, please contact us at support@unfuddle.com if you have any questions or if you just want to say hello. We’d love to hear from you and will be happy to respond to any inquiries!

Custom Ticket Statuses

As you may have already noticed, we have just flipped the switch on the new ticket view for all Unfuddle accounts. You may recall that this new view paves the way to some new and exciting features, namely custom statuses and task boards.

So, today, we are simultaneously launching custom statuses to all of our customers who have Compact plans and above. Go ahead. Define as many statuses as you like. Bend Unfuddle to suit your own specific workflow. It’s now easier than ever!

Screenshot of the custom statuses management in the project settings page

Statuses can be added and removed by administrators from the project settings page. Please note that some statuses are required for certain powerful commit messages to continue working. For example, removing or renaming the “Resolved” status will prevent any resolve actions from being processed in the future.

Schedules

Custom statuses are awesome and really help Unfuddle to map to how each team thinks and works. But task boards are what we are really looking forward to introducing in Unfuddle. We are calling them “Schedules” and each milestone in your project essentially represents a schedule.

You may have even wondered at some point about the “Schedule” tab and thought, “why isn’t it just called ‘Milestones’?” Well, this is why! Even while we have been working on the new ticket view and custom statuses, we have also been working feverishly on Schedules and are looking to deploy them in the very near future.

Thanks for all of your comments! As we expected, our latest post regarding our updates to tickets has been quite popular. We've received a ton of great feedback and have been busy working to address your concerns and improve the way the new ticket view both looks and works.

We deployed a bunch of these updates at the end of last week. Here are the most significant changes in this new version:

  • Added new ticket report navigation in the Tickets tab
  • Added the ability to easily cycle through tickets in a given report
  • Updated the display of the Time Tracking and Associated Changesets sections so the most recent items are quickly visible
  • Added the ability to move a ticket to a different project
  • Added resolution description functionality
  • Updated a number of drop-down menus with a filter feature to make it easy to find specific items in a long list
  • Fixed a bunch of little interface bugs

Please continue to give us your thoughts on how this can be improved even more. It's most helpful to us if you use the feedback form in your account but feel free to leave a comment on this post too.

We are super stoked to be deploying a significant ticket-related update today. As you know, tickets are the heart and soul of Unfuddle. Whether you use them to track bugs or plan your projects, tickets are what you use to get things done.

We have been working hard to pave the way for some useful and much asked for ticket-related features in Unfuddle, including custom ticket statuses and task boards. Of course, anything that affects a core part of Unfuddle requires a lot of thought and a good dose of feedback from our customers.

We've already given this a lot of thought but that doesn't mean it's perfect. Now we are revealing an updated ticket view in all Unfuddle accounts so you can share your thoughts with us. You won't see custom ticket statuses or task boards yet, but, as stated above, this update is necessary for us to make a smooth introduction of those features in the coming weeks.

Screenshot of new ticket view

Since the ticket view is so core to many of your workflows, we are not yet retiring the "old" version. In fact, it is still the default view for now. However, you can toggle the views easily right from within the interface.

Image showing how to toggle between the current view and the new view

We want to make sure this update improves your workflow and makes Unfuddle even easier to use and more helpful to you and your team. And the only way for us make that happen is if you give us your feedback!

Screenshot of the feedback form

Please use the feedback form in your account to send us your comments and questions. We will read and respond to all, as always. And, oh yeah, did we mention that custom statuses and task boards are coming to Unfuddle?!

Preventing Lost Form Data

May 24th, 2013

We have all been hit by it at some point. You spend 30 minutes writing the most perfect ticket, message or comment only to accidentally navigate away from the form. Seriously frustrating.

We have just launched an update that addresses this workflow issue. If you have entered any data in a form on the page, Unfuddle will now warn you when you attempt to navigate away from the page (either on purpose or accidentally).

It is a small change, but we trust that it will save everyone a lot of frustration.

Keyboard Shortcuts

May 8th, 2013

We've just deployed an update that will boost your efficiency in Unfuddle so you can get more work done faster. Introducing Unfuddle keyboard shortcuts!

Throughout Unfuddle it is now possible to create new items, navigate to different projects or tabs within a project, modify a ticket, comment on tickets and messages and more, all without touching your mouse. You can quickly see what is possible by tapping "?" on your keyboard. This will popup the window, shown below.

Keyboard shortcuts popup screenshot

Want to create a ticket? No problem! Simply type "nt" and go. Or do you want to accept the ticket you are currently viewing? Just type ".a". It's that simple.

Here is the full list of available shortcuts. What do you think? Are there any shortcuts you feel are missing? Let us know!

This week we are bringing you some updates to both the Activity page and Messages.

The Activity page has been completely revamped to function as a daily activity report. This makes it extremely easy to catch up if you were out of the office for a while or if you are looking to see what happened on a project on a specific day. Activity is grouped by object (ticket, message, etc), making it easier to parse, especially if you have a very active project. We expect to add additional filtering and sorting options in the future.

Activity Page in an Unfuddle Account

Messages have also received a complete facelift. You will notice that the comments have moved to the right hand side of the screen, greatly optimizing screen real estate for most users. And don't forget that drag-and-drop attachments are active everywhere on the page now, including on message comments.

Message Page in an Unfuddle Account

There have been a lot of changes to the interface lately. We have been really happy with the results and we hope that you are too. But as always, we are hungry for your thoughts. If you have any comments, please let us know!