Incident Report: Firefox & Internet Explorer Report Revoked Certificate

Drew Buschhorn • April 11th, 2014


On April 7, as part of our efforts to resolve the Heartbleed issue for, we ordered and released new SSL certs to ensure secure communication between you and

After those new certs were fully deployed and accepted, we requested that our SSL certificate provider revoke the old certificates as part of the best practices steps suggested when resolving Heartbleed.

Unfortunately, by mistake our SSL certificate provider revoked *all* of our certificates for, including the new ones we had just issued. As a result, we’ve had to scramble to deploy a third set of certificates that should now be live.


For a time between 9:30 ET and 10:15 ET (2014-04-11), you may have seen a message like “Certificate Invalid or Revoked” when trying to login to your FormAssembly account when using Firefox or Internet Explorer. Most likely you would not have been able to proceed past that warning.

Form processing was not affected for the vast majority of users during that time (as we rely on separate domains for form processing).


At this time the issue should be resolved. There should be no special action required on your part, and you should be able to access without issue on any browser. If this is not the case, please contact us immediately at

We apologize for any inconvenience this may have caused.

The FormAssembly Infrastructure Team

FYI – For those curious or wishing to confirm, the correct certificates for should have a validity date from 2014-04-10 to 2015-09-29.

Heartbleed and FormAssembly

Drew Buschhorn • April 9th, 2014

On April 7, 2014 a major vulnerability called ‘CVE-2014-0160‘ or ‘Heartbleed‘ was announced for recent versions of OpenSSL, an industry standard program used to secure communication on the internet. FormAssembly, along with many other major industry players, had to address this issue. While we have no evidence that any communication or data on FormAssembly has been compromised, we would like to share with you the steps we’ve taken to remediate the issue and how it impacts you as a customer.


Heartbleed causes servers to possibly return confidential data when a specially crafted request is sent. This means potentially all communication between the server and clients over HTTPS could be compromised.


Unfortunately this issue is not limited to FormAssembly users, and is affecting a wide swath of the internet. As the week goes on, you will hear of more services affected by this issue. The following sites have announced that they were affected by this issue: Facebook, Flickr, Yahoo Mail, Slate, and the list goes on.

For users of FormAssembly Enterprise Cloud, their instances were not affected by this issue due to a different software set being in place for their private instances. However FormAssembly Enterprise Cloud customers should please see the ‘WHAT YOU SHOULD DO‘ section below as this issue was not limited to FormAssembly.


Once the issue was announced, we updated all FormAssembly servers that were vulnerable, within the hour of the fix being released. Once that immediate issue was resolved, we began the process of requesting new SSL / HTTPS certificates to ensure all communication between our servers and you is secure. At this time, those new certificates have been deployed and are again protecting our communications and data.


We have no evidence that any communication or data on FormAssembly has been compromised as a result of this issue.

However, because of the widespread nature of this vulnerability, we’re recommending you change your password on, as you may have used your password on a site that has been compromised. No account data or settings could have been compromised as a result of this issue, as we take additional steps to protect account transactions and access.

As part of rolling out the new secure communication certificates, please let us know immediately if you have any trouble communicating with, or see any unexpected behavior in your browser.

We apologize for any inconvenience this has caused you. If you have any questions, please contact us here or at

FormAssembly Infrastructure Team

Finally, like our robot above, if you know your IT team, give them a hug today, as this has been a challenge for us all.

New: Smarter ways to update Salesforce Records with FormAssembly

Deborah Kim • March 6th, 2014

We’ve updated our Salesforce integration, fixed several bugs, and added new features to the connector! You can now:

Update the most recent record, when dealing with duplicates.

This was one of our most requested features! It’s especially important when dealing with duplicate records in Salesforce. Before, if the connector ran into duplicate records, you could only create a new record (and therefore keep adding dupes). Now, you can simply pick the most recent record found and update that one.

Update multiple records using repeatable sections.

FormAssembly has always been able to create multiple records in Salesforce using repeated sections, but now you can also update ’em.

Implement smarter handling of update-or-create scenarios.

You can set a connector to update a Salesforce record, or create a record if there isn’t an existing record to update. So, you’ll use the same field mapping for both creating and updating.

But sometimes the information needed to create a record isn’t the same as the info needed to update a record — which means the field mapping might fail when trying to update, because Salesforce won’t let FormAssembly update the field (the field is read-only after it’s created).

Now, however, the Salesforce Connector is smart enough to figure out which field can be updated and which cannot. In most cases, it’ll be easier and faster to set up a connector!

Access the latest objects and fields in Salesforce.

Until now, the most recent Salesforce changes weren’t available in FormAssembly because we were using an older version of the API. We’re now caught up, which means you can now access various Chatter and feed-related objects. For more details, see the Salesforce Release Notes.

We’ve also improved the UI a bit:

  • Invalid or obsolete field mappings are highlighted. If you set up a connector and then make changes to the form, any invalid and outdated field mappings will be highlighted in red, and new fields will be in green.

    Here, for example, we’ve deleted the “First Name” field:

Screenshot of a Field Mapping in the Salesforce Connector

  • The Connector Log shows which object is responsible for each log entry. For example, if an error is triggered by object 1.1, you’ll see “1.1” at the beginning of the log entry.

We hope you’ll find these changes useful. If you’ve got any feedback for us, we’d love to hear it. Comment here, shoot us an email, or tweet @FormAssembly!

Quick Tip: Resend corrected responses in the Salesforce Connector Log

Deborah Kim • February 28th, 2014

If you’re a Salesforce user, here’s a tip!

If you get a response that triggers an error in the Salesforce Connector — for instance, the respondent entered a date in the incorrect format — then you’ll need to correct the response and re-send it through the connector.

You can go the long way and ask the respondent to correct their response, but sometimes it’s faster to fix it yourself, particularly the issue is just a typo.

To speed up the process, you can do all this from the Salesforce Connector Log.


  1. Go to the Connectors tab and click view log for the Salesforce v2.0 Connector.
  2. Find the buggy response (the text will be in red). Click View ResponseEdit this response.
  3. Make the necessary changes and press the submit button — don’t worry, it won’t activate any email notifications. This will only edit the response that’s already been submitted.
  4. Go back to the Connector Log and click Resend.

You’re done!

If this is helpful, or if you’ve got a tip to share, let us know — drop us a line, leave a comment, or tweet @FormAssembly.

New: Accept eChecks with the Authorize.Net Connector

Deborah Kim • February 24th, 2014

Now, on the Enterprise Plan, you can accept eCheck payments with the Authorize.Net Connector!

An eCheck payment is a direct bank transfer through an Automated Clearing House (ACH) transaction. With Authorize.Net, you’ll be able to accept eChecks for U.S. banks.

Please note that eChecks are for U.S. transactions only, and you must apply to accept eChecks with Authorize.Net. You can read more about the application process and requirements in their User Guide.


If you’re a merchant, you’ll find that eChecks carry a substantially lower fee than credit cards. For example, eCheck fees are 0.5% to 1.75%, whereas credit card fees are around 3% to 4% (check the User Guide for more details about the rates). On the other hand, you’ll also find the approval process more thorough.

Keep in mind, however, that consumers and customers may prefer to pay with a credit card for various reasons (e.g., the ability to pay in installments, rewards, consumer protection).

We’ve also cleaned up the UI a bit, so it’s better organized and easier to use. For example, you can collapse lists for field options (e.g., the list of options for a “Country” field).

You can now also verify credit card payments with the CVV code, and see subscription IDs reported separately from transaction IDs. In addition, FormAssembly will automatically authorize a subscription transaction before creating the subscription.

If you have any questions or issues, please contact Support. You can also share your feedback in a comment here, a message, or a tweet @FormAssembly.

Happy Valentine’s Day, everyone! ♥

Deborah Kim • February 14th, 2014