IATI Registry: Now using HTTPS


(Dale Potter) #1

Work has recently been completed in install a Secure Socket Layer (SSL) certificate on the server that powers the IATI Registry.

This will mean that content is now served under the encrypted HTTPS connection. This is in line with internet best practices.

Requests to all Registry URLs using the unencrypted HTTP protocol should be automatically redirected to use HTTPS. This means that there should be no change to user interface functionality. Similarly, API functionality will not be affected, as long as application requests have been set-up to follow redirects, as is common with many request libraries.

Please do let us know below if you have any comments or questions.


(Ben Webb) #2

I get a notice in the right hand side of my URL bar in Chromium: “This page is trying to load scripts from unauthenticated sources”


(Siem Vaessen) #3

provide links to those sources. probably some image/external reference not behind HTTPS


(Ben Webb) #4

Looking in the developer console I see:

jquery.min.js:529 Mixed Content: The page at ‘https://www.iatiregistry.org/’ was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ‘http://www.iatiregistry.org/api/i18n/en’. This request has been blocked; the content must be served over HTTPS.send @ jquery.min.js:529
jquery.min.js:529 XMLHttpRequest cannot load http://www.iatiregistry.org/api/i18n/en. Failed to start loading.


(Dale Potter) #5

Thanks for the heads up on this Ben - I have flagged this up to Open Knowledge Foundation (the suppliers of the Registry) and have also sent them an article suggesting a fix.

Will post to this forum when this is resolved. In the meantime, please feel free to post if you come across any other issues.


(Christopher Kraft) #6

Hey Ben, hey Dale,

thank you very much for pointing this out. We will take s look on this soon and post an update here.

Have a great start into the week!

Chris


(Christopher Kraft) #7

My development team told me that this issue should be solved.

Please feel free to test it.

Best regards,

Chris


(Ben Webb) #8

I’m still seeing the problem on iatiregistry.org


(Rory Scott) #9

Hi Ben,

Thanks for pointing this out. On chrome the problem doesn’t show in the loading bar at all:

But on inspecting the javascript console, you can see this:

The insecure endpoint directs to an empty script, which contains only ‘{ }’.

@ckraft - any thoughts on this? I don’t think it’s effecting functionality for us, but I suppose there’s a chance that it could cause more security-heavy applications to halt / misbehave.

Thanks,
Rory


(Dale Potter) #10

Just to chip in on this one too, using an updated version of Chrome (Version 52.0.2743.116 (64-bit)) I’m now getting a ‘scripts from unauthenticated sources’ warning in the URL bar itself.

It would be good to take a look at this issue again to try to come to a resolution, as it seems this issue have been ongoing for just over a month now.


(Christopher Kraft) #11

Hello everyone,

I am very sorry for the late response. The notification emails went into my Spam folder…

I will raise this again and we will take a look on that.

Thanks and best regards,

Chris


(Dale Potter) #12

Just an update on this issue, which was logged in GitHub as issue #74.

Alongside the suspected related GitHub issue #79, we understand that these ongoing issues should be resolved when the IATI Registry is upgraded to a newer CKAN version in October, meaning that a fix will take some time and would only exist for 4-6 weeks. Therefore, this issue is being marked as a #wontfix for now.

We apologise for any inconvenience this issue may cause in the meantime, and IATI will continue to monitor the situation to ensure that these issues do not reappear after the CKAN upgrade.