Tendenci 4 Microsoft Clients Update

To our Tendenci 4 clients experiencing difficulties, you are ABSOLUTELY STILL MY TOP PRIORITY and the top priority of the entire team.

Huge progress has been made by the team this week and with the help of you, our clients with DNS entries and flexibility and understanding. The good news is that at this point most of you are back on line.

The Tendenci 4 functionality is slowly being recreated on the latest version of Windows Server 2012 R2. In the short term, given I constantly troll the helpdesk, I know y’all are frustrated by the lack of full functionality.

Yet I need you to hang on just a bit longer as this process MUST BE DONE SECURELY. I simply can’t and won’t compromise on that. You don’t rush through open heart surgery and Tendenci, as y’all know, is quite a bit larger than other products because the challenges we address, sites with sometimes 100k users, are much more complex than shopping carts or photos sharing sites.

Still heartbreaking to me is that I am profoundly aware we have a few remaining very important clients to bring back online. And that is a task with multiple people actively working on restoring them, even if they are leaving (and who can blame them) but regardless we will get a stable version for them.

The Good News – The vast majority of Tendenci 4 sites are back online as I type this. Yes you are faced with limited functionality, but have patience as we have to rewrite a lot of code to make the jump to Windows 2012 R2 and most of us have been on the Linux side for a while now.  We are seeing your functionality being incrementally restored daily. ETA is probably early next week to get to 75% functionality.

25% of the functionality will only return if we can find a way to securely implement it for all of you such that each client is isolated. Thus the functionality we plan to restore is only within the limits of new security.

What are the known issues for Tendenci 4 clients (the .asp clients)?

Current limitations – all of which are in place to protect you.

  1. Four sites still off line. Top priority. Period. They know who they are and with each I have personally been in contact.
  2. Limited functionality. Everyone else on the Microsoft version of Tendenci who is back up is still facing limited functionality. We are aware of this. No need to submit a ticket. It is coming back as fast as we can do it SECURELY. If we can’t return functionality securely it will not return at all but that is hopefully not going to be the case as I think we can find a work around for all of it. Specifically items that we know are not working and can’t be turned on just yet are posted in a series of posts right after this one. But in brief we are aware of and working on the following.
    1. Notifications – these will be back by early next week at the latest. Like “forgot my password” and “payment submitted” (just not newsletters.)
    2. Newsletters – Not enabled. You will each need to sign up with a third party email relay service. It could even be your own Amazon Simple Email Service account. This is a required change for all clients to sign up with an SMTP relay provider like Mailgun. Newsletter Generator will return; however, Newsletter Send is NOT coming back on the shared mail server. You MUST sign up for a newsletter provider that supports smtp authentication and clean your email lists. This you can start now.
    3. Uploads – these will come back slowly, limited, restricted and only in non executable areas. You will not be able to upload asp files, js files or any form of executable file going forward. This is a permanent change, but really it is a return to how it was designed and at some point we diverged from fundamentals.
    4. FTP – FTP is not coming back to T4 going forward. Never. But before you scream, web sites are not FTP portals and full FTP is no longer feasible. It shouldn’t have been allowed in the first place except to restricted folders and that got lost over the years by our team despite being documented internally. The Internet has changed, we have to change with it. And fortunately there are so many options for you on this. For example on T5 you can FTP into one folder named media. Or use Amazon S3 for static files. So it will be OK. From dedicated servers to S3 buckets to dropbox to gdrive links – you will have lots of options.
    5. WYSIWYG – we will be implementing a stripped down version of one (1) of the two current ftp editors that are in T4. Think minimalistic like wordpress, but you can still jump over to another html editor and use code view to paste tables and such back in for richer formatting if you prefer. Neither of the rich text editors you are used to will be coming back in the same format for security reasons. But you have work arounds.
    6. WYSIWYG uploads – read only files, no java script, no flash. But you can reference those from an external data store (see FTP permanent discontinuation above.)

Next steps. Today yet another firewall that is already in place will have more of its functionality turned on. It is already handling all of the traffic and has quietly been keeping track of things to find patterns that we need to allow (whitelist) so that our other security rules don’t get carried away. Thus it will be brought online slowly.

The new firewall is another layer of security typically called a WAF (web application firewall). While it’s true that we already have a WAF that was running, it was one that reported instead of dynamically taking action to block an attack. Furthermore it was designed like a virus scanner to look for known issues, not the unknown. The new WAF analyzes the traffic passing in-between the firewalls instead of just protocols and ports so it is much more advanced. And if it doesn’t like something, it jumps into action and blocks it.

Remember iRobot? Ya, kind of like that. So we unfortunately WILL experience some false positives. Yet he’s had enough “training” and is ready to be turned loose so us humans can get mad at him and we can fully educate him on what is legitimate traffic and what is not. Studying logs is one thing, but he’s got to get into the wild and test the real world. We ask for your patience on this. Again, it is to protect YOU!

Moving carefully forward…

Sincerely,

Ed Schipul, CEO, Tendenci