Verification method iDeal and iDIN down

Incident Report for Signhost Verified Signing

Postmortem

Problem report iDeal and iDIN

Past week we saw a major outage in our iDeal and iDIN connectors. We want to apologize for any problems experienced by our customers during this outage, and through this way want to inform our customers about mitigating steps we took to prevent this from reoccurring. We are committed to guarantee a high uptime, as you are used from our platform.

‌

Intro

This problem was caused by an incorrect encryption cypher used by Evidos to communicate with the iDIN and iDeal platform.

iDIN and iDeal notified us about an upcoming change of their accepted encryption cyphers about two months ago. This change was scheduled to take place on the 30th of April. This update would block older cyphers from being used to communicate with the platform. (Cyphers are being used to encrypt and decrypt server-to-server communication)

We put these new cyphers to the test, and from our testing it seemed our servers were compliant with the impending update. These tests were performed early March.

Problem

On the 30th of April 2020 Currence released the preannounced iDIN and iDeal cypher update. We found our servers unable to communicatie with these methods anymore, and displayed an error message to signers. After noticing the issue we’ve created an incident here on status page. Our servers were not fully compliant with the new cypher suite, even though our initial testing proved otherwise.

Fix

We had to urgently deploy new server versions which accepted the new cypher suite, in order for iDIN and iDeal to be operational again as soon as possible. Based on useage and ease of fixing, first iDeal was restored, afterwards iDIN. Both were operational again the same day. A further, more robust and future proof fix was rolled out on Monday the 4th of May.

Mitigation

In order to mitigate these problems in the future, we have updated our servers to newer version accepting more cypher suites. Furthermore, we expanded our logging and testing capabilities to nip similar problems in the bud at an earlier stage. Finally, we are now in the process of retooling our iDIN connector so, if problems arise, we are even more flexible with regards to deploying these connectors on other servers and environments.

‌

This will help us guarantee our high uptime, and keep our customer’s environments operational and responsive in the future.

Posted May 06, 2020 - 15:15 CEST

Resolved

This incident has been resolved.

Posted Apr 30, 2020 - 22:13 CEST

Monitoring

A fix has been implemented and we are monitoring the results.

Posted Apr 30, 2020 - 21:55 CEST

Update

We are still working on the fix for iDIN. We currently expect this fix to take a few more hours to complete and iDIN to be operational again.

Posted Apr 30, 2020 - 15:11 CEST

Update

A fix for iDeal has been implemented. iDeal can be used again as a signing method, and we are monitoring the fix.

- iDIN is still out of order, we are looking to fix iDIN as soon as possible.

Posted Apr 30, 2020 - 14:06 CEST

Identified

The issue has been identified. Both iDIN and iDeal are affected. We are looking to fix this problem as soon as possible.

Posted Apr 30, 2020 - 13:04 CEST

Update

We are continuing to investigate this issue.

Posted Apr 30, 2020 - 11:46 CEST

Investigating

iDeal payments are currently having issues. This seems to be a broader problem with the service.

Posted Apr 30, 2020 - 10:54 CEST

This incident affected: ⮑ External verifications (iDIN, iDEAL).