Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Decide what to do about Google Maps SSL warnings on #528

imported-from-roundup opened this Issue · 0 comments

1 participant


Comment by paulproteus:

Luke Faraone had this to say:

<lfaraone> paulproteus: hai!
<lfaraone> paulproteus: fyi, on openhatch, my browser is giving SSL warnings
because there are mixes of SSL and non-ssl content

If you load up in Firefox, and use Firebug to look at the
"Net" tab to see what pages we load, it should be all SSL ones. According to
Luke, it's not all SSL stuff -- that's the bug.

Comment by jesstess:

It looks like the home page is fine, but does have this issue -- the
Google maps API queries are over HTTP.

Comment by paulproteus:

Well, the only official way we can the Google Maps API over SSL is to pay Google
ten thousand dollars:

We would have to serve the tiles ourselves, as well as the Google JavaScript. We
could use a reverse proxy to achieve that.

If we were a 501(c)3, we could request a free Premier key for Google Maps. It
would take 3 months for Google to contact us about it. is the link to that.

Well, what now? I was hoping this would be easy, but I guess it's not!

Comment by paulproteus:

One further note:
indicates that we might be able to get away with using a redirect, rather than
actually proxying.

Comment by paulproteus:

I just changed the map template to <script src> the Google Maps javascript from
an OpenHatch URL (an SSL one, if you go to, which
then redirects to the non-SSL Google Maps javascript.

Also, the main Google Maps javascript file just loads in another non-SSL Google
javascript file.

Chromium still shows https crossed-out, and Firefox doesn't show the nice blue
domain that indicates it's happy with the SSL setup, so I conclude that
redirects can't help.

Reverse proxies can't really help either -- once the browser grabs the initial
javascript over HTTPS, it will then load a non-HTTPS javascript file. And I also
haven't found any information on getting Google Maps to load tiles from our
server, rather than theirs.

So, um, I guess HTTPS and the Google Maps API are quite at odds.

Comment by paulproteus: is an
example of someone else running into the same problem a year ago.

Not terribly useful, but nice to know we're not alone.

Comment by paulproteus:

Well, this ticket says to "decide". So, to proceed, we can either:

  • Decide to do nothing, and leave the warning. That's probably bad.

  • Pay $10K. (not happening, unless someone else really wants to spend it on this)

  • Decide to proxy the tiles. (This is more reasonable than it sounds; for one
    thing, we're only at 10% of our monthly bandwidth usage.) I think this is what
    we should go with, for now.

  • Decide to, for all people search pages, redirect the user to an http-based
    version of OpenHatch. (That would be such a depressing choice, in terms of user
    security and privacy.)

So let's decide to proxy the tiles. Next step is to figure out how that'll work.
That'll be a separate ticket.

Comment by palhmbs:

Marking this resolved since Google has made SSL Maps API free.

There is a new issue to deal with implementing that. - See issue344.

Status: resolved
Nosy List: jesstess, paulproteus
Priority: bug
Imported from roundup ID: 213 (view archived page)
Last modified: 2011-03-24.18:53:45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.