Discussion

IATI Registry: Now using HTTPS

Dale Potter
Dale Potter • 15 July 2016
11 comments

Work has recently been completed in install a Secure Socket Layer (SSL) certificate on the server that powers the IATI Registry.

This will mean that content is now served under the encrypted HTTPS connection. This is in line with internet best practices.

Requests to all Registry URLs using the unencrypted HTTP protocol should be automatically redirected to use HTTPS. This means that there should be no change to user interface functionality. Similarly, API functionality will not be affected, as long as application requests have been set-up to follow redirects, as is common with many request libraries.

Please do let us know below if you have any comments or questions.

Comments (11)

Ben Webb - IATI Secretariat
Ben Webb - IATI Secretariat 7 years ago

I get a notice in the right hand side of my URL bar in Chromium: “This page is trying to load scripts from unauthenticated sources”

Dale Potter
Dale Potter 7 years ago

Thanks for the heads up on this Ben - I have flagged this up to Open Knowledge Foundation (the suppliers of the Registry) and have also sent them an article suggesting a fix.

Will post to this forum when this is resolved. In the meantime, please feel free to post if you come across any other issues.

Ben Webb - IATI Secretariat
Ben Webb - IATI Secretariat 7 years ago

Looking in the developer console I see:

jquery.min.js:529 Mixed Content: The page at ‘https://www.iatiregistry.org/’ was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ‘http://www.iatiregistry.org/api/i18n/en’. This request has been blocked; the content must be served over HTTPS.send @ jquery.min.js:529
jquery.min.js:529 XMLHttpRequest cannot load http://www.iatiregistry.org/api/i18n/en. Failed to start loading.

Christopher Kraft
Christopher Kraft 7 years ago

Hey Ben, hey Dale,

thank you very much for pointing this out. We will take s look on this soon and post an update here.

Have a great start into the week!

Chris

Dale Potter
Dale Potter 7 years ago

Just to chip in on this one too, using an updated version of Chrome (Version 52.0.2743.116 (64-bit)) I’m now getting a ‘scripts from unauthenticated sources’ warning in the URL bar itself.

 

Image removed.

blob.jpg699×166 36.5 KB

It would be good to take a look at this issue again to try to come to a resolution, as it seems this issue have been ongoing for just over a month now.

Rory Scott
Rory Scott 7 years ago

Hi Ben,

Thanks for pointing this out. On chrome the problem doesn’t show in the loading bar at all:

Image removed. Pasted image850×336 75.1 KB

But on inspecting the javascript console, you can see this:

Image removed.

The insecure endpoint directs to an empty script, which contains only ‘{ }’.

Christopher Kraft - any thoughts on this? I don’t think it’s effecting functionality for us, but I suppose there’s a chance that it could cause more security-heavy applications to halt / misbehave.

Thanks,
Rory

Christopher Kraft
Christopher Kraft 7 years ago

Hello everyone,

I am very sorry for the late response. The notification emails went into my Spam folder…

I will raise this again and we will take a look on that.

Thanks and best regards,

Chris

Dale Potter
Dale Potter 7 years ago

Just an update on this issue, which was logged in GitHub as issue #74.

Alongside the suspected related GitHub issue #79, we understand that these ongoing issues should be resolved when the IATI Registry is upgraded to a newer CKAN version in October, meaning that a fix will take some time and would only exist for 4-6 weeks. Therefore, this issue is being marked as a #wontfix for now.

We apologise for any inconvenience this issue may cause in the meantime, and IATI will continue to monitor the situation to ensure that these issues do not reappear after the CKAN upgrade.

Please log in or sign up to comment.