(Note: for most of our users, this change will have no effect and will not require any changes on your part.)
Our previous SSL certificate issuer for api.pushover.net and our pushover.net website is currently experiencing a DDoS attack on their OCSP servers, which browsers and other SSL clients use to check whether a given certificate has been revoked.
The result of that attack is that when a web browser or other SSL client with OCSP checking enabled tries to establish an SSL connection to api.pushover.net, it will stall for about 10 seconds while waiting to get a response from the OCSP server being attacked.
We’ve switched to a new SSL certificate provider with more robust OCSP servers, as well as registered new certificates valid for 2 years.
For most of our users, this change will not require any intervention and will not be noticeable. Our Android and iOS clients are working fine with the new certificate and most HTTP/SSL libraries/frameworks sending notifications through our API will not need to be notified of the new SSL certificate. However, some users using Java or other environments where a manual key store is needed may need to adapt to the new certificate provider.
We would have liked to have been able to give more notice before this change but due to the problems that the DDoS is causing on the SSL provider, we had to act quickly.