Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Decide what to do about Google Maps SSL warnings on openhatch.org/people/ #528

Closed
imported-from-roundup opened this Issue · 0 comments

1 participant

@imported-from-roundup

Comment by paulproteus:

Luke Faraone had this to say:

<lfaraone> paulproteus: hai!
<lfaraone> paulproteus: fyi, on openhatch, my browser is giving SSL warnings
because there are mixes of SSL and non-ssl content

If you load up https://openhatch.org/ in Firefox, and use Firebug to look at the
"Net" tab to see what pages we load, it should be all SSL ones. According to
Luke, it's not all SSL stuff -- that's the bug.


Comment by jesstess:

It looks like the home page is fine, but https://openhatch.org/people/ does have this issue -- the
Google maps API queries are over HTTP.


Comment by paulproteus:

Well, the only official way we can the Google Maps API over SSL is to pay Google
ten thousand dollars:
http://googleenterprise.blogspot.com/2008/09/httpssecuregooglemaps.html

We would have to serve the tiles ourselves, as well as the Google JavaScript. We
could use a reverse proxy to achieve that.

If we were a 501(c)3, we could request a free Premier key for Google Maps. It
would take 3 months for Google to contact us about it.

https://services.google.com/fb/forms/premiergrantapplication/ is the link to that.

Well, what now? I was hoping this would be easy, but I guess it's not!


Comment by paulproteus:

One further note:

https://gunnicom.wordpress.com/2010/10/14/redirect-from-https-to-http-works-for-tiles-from-openlayers/
indicates that we might be able to get away with using a redirect, rather than
actually proxying.


Comment by paulproteus:

I just changed the map template to <script src> the Google Maps javascript from
an OpenHatch URL (an SSL one, if you go to https://openhatch.org/people/), which
then redirects to the non-SSL Google Maps javascript.

Also, the main Google Maps javascript file just loads in another non-SSL Google
javascript file.

Chromium still shows https crossed-out, and Firefox doesn't show the nice blue
domain that indicates it's happy with the SSL setup, so I conclude that
redirects can't help.

Reverse proxies can't really help either -- once the browser grabs the initial
javascript over HTTPS, it will then load a non-HTTPS javascript file. And I also
haven't found any information on getting Google Maps to load tiles from our
server, rather than theirs.

So, um, I guess HTTPS and the Google Maps API are quite at odds.


Comment by paulproteus:

http://lists.osgeo.org/pipermail/openlayers-users/2010-January/015776.html is an
example of someone else running into the same problem a year ago.

Not terribly useful, but nice to know we're not alone.


Comment by paulproteus:

Well, this ticket says to "decide". So, to proceed, we can either:

  • Decide to do nothing, and leave the warning. That's probably bad.

  • Pay $10K. (not happening, unless someone else really wants to spend it on this)

  • Decide to proxy the tiles. (This is more reasonable than it sounds; for one
    thing, we're only at 10% of our monthly bandwidth usage.) I think this is what
    we should go with, for now.

  • Decide to, for all people search pages, redirect the user to an http-based
    version of OpenHatch. (That would be such a depressing choice, in terms of user
    security and privacy.)

So let's decide to proxy the tiles. Next step is to figure out how that'll work.
That'll be a separate ticket.


Comment by palhmbs:

Marking this resolved since Google has made SSL Maps API free.

There is a new issue to deal with implementing that. - See issue344.


Status: resolved
Nosy List: jesstess, paulproteus
Priority: bug
Imported from roundup ID: 213 (view archived page)
Last modified: 2011-03-24.18:53:45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.