Lucas Scharenbroich
Lucas Scharenbroich, Technology Manager

It’s time to get serious about supporting secure HTTP on your GIS infrastructure.

HTTPS is a secure protocol used for communicating over the internet. It takes the familiar HTTP protocol used by web browsers and other devices, and wraps it up in a secure, encrypted package.

This has two significant benefits. First, it prevents two types of cyber attacks, known as eves dropping and Man-In-The-Middle (MITM) [1]. Basically, it prevents your users’ data from being intercepted as it travels from their device to your web servers. Second, it establishes trust amongst users that your site is owned and operated by your organization. This trust is especially important in the context of government services.


The Story of Secure HTTP – How it Swept the Internet

HTTPS was first available on the venerable Netscape Navigator browser that was released in 1994. It was ratified as an internet standard in 2000 and its usage has slowly grown over the decades. According to recent statistics [2] 45% of all sites support HTTPS as of June 2016. As HTTPS has become more ubiquitous, web-based products are beginning to require secure HTTP to enable core functionality.

Recently, the Chrome web browser made the decision to block the use of any geolocation services if the user is not running their web app from a secure site, and indicated that additional features will be similarly restricted in the future [3]. This had an immediate impact on many GIS web applications and required Esri and its business partners to provide immediate application updates [4]. In order to guarantee the use of modern web services, it is important that all organizations move to support HTTPS on their web servers.

In addition to waning support for unsecured HTTP with third party applications, Esri itself requires the use of HTTPS in Portal for ArcGIS during its deployment [5]. HTTPS is required in ArcGIS Server in order to support Federation with Portal [6]. Also, HTTPS is required to enable Enterprise Login for ArcGIS Online [7].


What Happens Next?

The need to support HTTPS will continue to grow as more and more pieces of web infrastructure require secure communications as a baseline requirement. It’s time to get serious about HTTPS. Pro-West is here to help.


Follow Lucas on Twitter
Email Lucas


Sources

  1. https://en.wikipedia.org/wiki/HTTPS
  2. https://letsencrypt.org/2016/06/22/https-progress-june-2016.html
  3. https://developers.google.com/web/updates/2016/04/geolocation-on-secure-contexts-only
  4. https://blogs.esri.com/esri/arcgis/2016/04/14/increased-web-api-security-in-google-chrome/
  5. http://server.arcgis.com/en/portal/latest/administer/windows/portal-for-arcgis-system-requirements.htm#ESRI_SECTION1_69BEE31870B043D58B7CA9015A6B3C73
  6. http://server.arcgis.com/en/portal/latest/administer/linux/federate-an-arcgis-server-site-with-your-portal.htm
  7. https://doc.arcgis.com/en/arcgis-online/administer/configure-security.htm