A lot has changed in the Microsoft technology world in the last 7 years since I launched ASafaWeb in September 2011. Windows XP is no longer the dominant operating system (Win 7 actually caught up the month I launched ASafaWeb). Internet Explorer is no longer the dominant browser (Chrome was in 3rd place back then). Windows Server has gone from 2008 R2 to 2012 to 2012 R2 to 2016 to 2019. And lastly, .NET has gone through a heap of different versions (as has Visual Studio) from 4.x to Core 1 and now Core 2 (and minor versions within them).
My own personal focus has also changed moving from corporate life to independence. From development and architecture to security. From Sydney to the Gold Coast. Crikey, even from having 1 kid to 2! The point is that an awful lot has been happening but one thing that hasn't been happening is that I haven't been upgrading ASafaWeb which is why, as of today, it's reached end of life.
Some background on why I created it first because that will help explain why it's now at EOL: When I worked at Pfizer, everything in the Asia Pacific region was outsourced (because you developers are just too damn expensive, don't cha know?!) Now, when you take dev work and outsource it to the cheapest possible bidders in low cost markets, you get back... "interesting" results. I've written before about some of the lessons learned from that and one of those lessons was that developers continually struggle to get basic ASP.NET security configurations right. Stuff like disabling tracing and turning on custom errors and I was finding a huge amount of time went on just testing these basic things then explaining why they were a problem to developers. So I built an internal tool - a predecessor to ASafaWeb - and I used it not just on a case-by-case basis for new work, but I also ran it over our inventory of existing sites. That was useful for me, but it didn't do much for the external vendors building code as they couldn't proactively scan for misconfigured sites.
ASafaWeb was born of that need. I took the ideas I'd worked on internally and stood up the public site. It addressed an immediate need I had at work, it helped others out there meet the same need and, if I'm honest, it gave me a fun project to work on. And I put a lot of work into it, at least in the early years. But once the service did what I needed, effort went elsewhere. Then Have I Been Pwned came along in late 2013 and achieved sudden (and unexpected) success so obviously, that's where my effort went. The .NET framework evolved and technology moved but ASafaWeb stayed frozen in time. Well, almost frozen:
In July this year, usage really started plummeting. Those numbers descended all the way down to single digit users per day and as turns out, there's actually a good reason for that:
The site kept going offline. ASafaWeb ran on App Harbor and back at the time I launched the service, this was their site:
That's a pretty ballsy claim! But they were right because it was early days in Azure and one of the things that Microsoft's offering simply couldn't do was allow you to publish a normal everyday garden variety website. There were things like Worker Roles, but there was friction involved in moving from development norms of the time to Microsoft's new offering. Of course, many things are very different today; Azure is a major cloud player, there's heaps of deployment models and, unsurprisingly, AppHarbor no longer makes that claim. In fact, if I'm honest, I've no idea what the folks behind the service have been up to in recent years and I get the impression that like ASafaWeb itself, things have been pretty quiet on that front. The point re AppHarbor and the site outage is that I'm not sure how much of this was due to what I suspect is a decline in the viability of their service. Their site is still up and functional, but their Twitter account hasn't been active for 2 and a half years now and the last blog post they wrote was in 2014. On the face of it, their ongoing viability looks questionable in an era where arguably, Azure itself is now "Azure done right". (Note: I would like to point out that they provided hosting to ASafaWeb for free and I'm enormously appreciative of their support on that front.)
Getting back to the Cloudflare error, a cursory review of the service didn't show any obvious issues. I hadn't committed a change since January 2016, there was no indication of the root cause in the logs and if I'm honest, I didn't have the time to invest troubleshooting and nobody was complaining about it anyway. Actually, in fairness once every couple of weeks someone would reach out and ask what happened to it but it was once in a blue moon. In fact, over its entire lifespan Google Analytics reports only 227k people visiting the service. That's a traffic volume I've done in an hour on HIBP before!
Considering all that combined with the fact that ASafaWeb had fallen well and truly behind the technology curve and was no longer accurate for a bunch of newer sites it was scanning, I made the call to pull the pin on it. I'd much rather this than leave it in a non-responsive state where it's no longer maintained, that's not in anyone's best interest.
So what now? Well there's a few things and the first is that you'll see there's now an EOL message on asafaweb.com:
The next thing is that I've removed the site from AppHarbor and taken a local copy of the data before also removing that from AppHarbor. I'm going to retain a local copy of that data for 3 months before I permanently delete all copies of it, just in case there's a reason to go back to it. Next, I'm going to email all ~1.7k users who signed up to ASafaWeb to use the scheduler service to advise them of the EOL status. I'm also going to offer them a discount for Report URI (the project I run with Scott Helme) and point them to his Security Headers project. These are not the same as ASafaWeb in that they're not looking for misconfigured ASP.NET, but they're in the same realm of online services which can be used for enhancing website security. I don't plan to release the original source code; not only is it woefully out of date, it has origins within Pfizer and I'm honestly not sure of the implications of that. Besides, the ASafaWeb tag on my blog contains many posts that do a great job of explaining the rationale behind the scans.
In reality, formally moving ASafaWeb to EOL will have very little impact on people as the site has been uncooperative for months now anyway. But I wanted to properly explain the background and formally close it down whilst also providing people with some options for the future too.
Lastly, I appreciate all the input people have provided over the years. The support from the community is a large part of what drove me to go on and create HIBP which has now become a very large part of what I do. Thank you everyone!