IATI Registry: Now using HTTPS

dalepotter · July 15, 2016, 10:32am

Work has recently been completed in install a Secure Socket Layer (SSL) certificate on the server that powers the IATI Registry.

This will mean that content is now served under the encrypted HTTPS connection. This is in line with internet best practices.

Requests to all Registry URLs using the unencrypted HTTP protocol should be automatically redirected to use HTTPS. This means that there should be no change to user interface functionality. Similarly, API functionality will not be affected, as long as application requests have been set-up to follow redirects, as is common with many request libraries.

Please do let us know below if you have any comments or questions.

bjwebb · July 15, 2016, 12:26pm

I get a notice in the right hand side of my URL bar in Chromium: “This page is trying to load scripts from unauthenticated sources”

siemvaessen · July 15, 2016, 12:27pm

provide links to those sources. probably some image/external reference not behind HTTPS

bjwebb · July 15, 2016, 2:23pm

Looking in the developer console I see:

jquery.min.js:529 Mixed Content: The page at ‘https://www.iatiregistry.org/’ was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ‘http://www.iatiregistry.org/api/i18n/en’. This request has been blocked; the content must be served over HTTPS.send @ jquery.min.js:529
jquery.min.js:529 XMLHttpRequest cannot load http://www.iatiregistry.org/api/i18n/en. Failed to start loading.

dalepotter · July 15, 2016, 2:43pm

Thanks for the heads up on this Ben - I have flagged this up to Open Knowledge Foundation (the suppliers of the Registry) and have also sent them an article suggesting a fix.

Will post to this forum when this is resolved. In the meantime, please feel free to post if you come across any other issues.

ckraft · August 8, 2016, 1:17pm

Hey Ben, hey Dale,

thank you very much for pointing this out. We will take s look on this soon and post an update here.

Have a great start into the week!

Chris

ckraft · August 8, 2016, 12:34pm

My development team told me that this issue should be solved.

Please feel free to test it.

Best regards,

Chris

bjwebb · August 8, 2016, 3:19pm

I’m still seeing the problem on iatiregistry.org

rory_scott · August 8, 2016, 3:47pm

Hi Ben,

Thanks for pointing this out. On chrome the problem doesn’t show in the loading bar at all:

But on inspecting the javascript console, you can see this:

The insecure endpoint directs to an empty script, which contains only ‘{ }’.

@ckraft - any thoughts on this? I don’t think it’s effecting functionality for us, but I suppose there’s a chance that it could cause more security-heavy applications to halt / misbehave.

Thanks,
Rory

dalepotter · August 16, 2016, 8:51am

Just to chip in on this one too, using an updated version of Chrome (Version 52.0.2743.116 (64-bit)) I’m now getting a ‘scripts from unauthenticated sources’ warning in the URL bar itself.

It would be good to take a look at this issue again to try to come to a resolution, as it seems this issue have been ongoing for just over a month now.

ckraft · August 22, 2016, 3:08pm

Hello everyone,

I am very sorry for the late response. The notification emails went into my Spam folder…

I will raise this again and we will take a look on that.

Thanks and best regards,

Chris

dalepotter · September 1, 2016, 11:03am

Just an update on this issue, which was logged in GitHub as issue #74.

Alongside the suspected related GitHub issue #79, we understand that these ongoing issues should be resolved when the IATI Registry is upgraded to a newer CKAN version in October, meaning that a fix will take some time and would only exist for 4-6 weeks. Therefore, this issue is being marked as a #wontfix for now.

We apologise for any inconvenience this issue may cause in the meantime, and IATI will continue to monitor the situation to ensure that these issues do not reappear after the CKAN upgrade.