Preparing Projects for HTTPS
Why this change?
Browser vendors have been encouraging sites to support SSL encryption for the privacy and security of their users in response to threats from criminals, ad networks, and government surveillance. Part of these efforts have been design changes that educate users not to trust unencrypted sites with their passwords and other personal information. These warnings have and will continue to become more threatening over time as SSL encryption is supported by a growing majority of websites. These are the types of warnings that will soon be displayed by Google Chrome.
SeaSketch is particularly difficult to migrate to https due to the fact that we rely on 3rd-party data services distributed globally. Some of these data services do not support SSL and will have to be disabled. Even so, SeaSketch may handle sensitive data and it is critical that we must make these changes now to ensure the trust and security of our users.
What do I need to do as a project admin?
As a project admin, you will need to take action to update insecure services or they will be disabled on November 10th. In addition, the SeaSketch team has made some changes behind the scenes to make this transition as easy as possible. We've uploaded images and logos associated with your project to https-enabled image hosts automatically. We've also updated data services links to https when we detected existing SSL support.
Update insecure basemaps
Basemaps that utilize insecure services will be identified as such in the admin interface. Please change the data source by clicking on the gear icon and changing to a service url that begins with https://. These "insecure" messages will only appear in the admin interface and will not be visible to users in the main project page. After November 10th, insecure basemaps will no longer appear in the list of options.
Update insecure data layers in the table of contents
Insecure data layers are also identified with a warning in the data layers section of the admin interface. These warnings only appear to admins and these layers will continue to work normally until November 10th. After that date they will be disabled and an explanation as to why will appear to end-users.
To update these layers, right-click on a layer and choose "Edit". From the Edit Node modal you have the option to pick a new data source. The new data source url will need to begin with https.
If you have lots of layers hosted on the same server and have recently enabled https, please contact us and we can automate the process of migrating over your links. You need not change dozens of links by hand in the admin interface.
Test your project
Accessing the site from https://www.seasketch.org will enable encryption and give you a preview of how the site will appear to all users after November 10th. Please check that your data services are appearing normally and that you aren't seeing any warnings from your browser.
FAQ
Some of my data services do not support HTTPS. What should I do?
If you are not the data host and the same services are not available by changing the url to https:// you should contact the administrator of that site. Request that they make their services available over the https protocol. SSL certificates should be available for minimal cost from their domain name service or they may even be able to obtain one for free.
If you are the data host, ask your IT or GIS administrator to enable https for the site. Generally, this process involves obtaining an SSL Certificate from your DNS provider, installing that certificate on the server, and updating DNS records to direct https traffic appropriately. Each server is different and the detailed steps are beyond the scope of this document, but please contact us if you have questions about your particular setup. Esri has documentation on enabling https on ArcGIS Server.
Is my information secure now, without https?
SeaSketch already encrypts communication of user data using https whenever requesting or sending data to the server, other than the initial page load. User data is not sent "in the clear" or available for capture as it is in transit between the client and server. This is an interim measure to protect user data short of enabling encryption site-wide and requiring all map services to support https. These new measures will provide an additional level of protection against sophisticated attackers who may have access to a user's physical network. These changes are not in response to any data breaches but rather an adoption of evolving security best practices.