[openstreetmap/openstreetmap-website] HTTPS by default on openstreetmap.org (#1359)

Guillaume Rischard notifications at github.com
Sat Nov 5 17:35:36 UTC 2016

This ticket is intended to be a central place to discuss the possibility of switching openstreetmap.org to be https by default.

*This is a subject many people feel passionate about*, one way or the other, and not a switch that can simply be flicked on and off. Everyone's concerns, issues on the way, hopes, desires, possible solutions, etc. should be discussed or linked here.

Wikipedia did the switch [in 2015](https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https/).

This isn't about making all content available over https - that's AFAIK already the case, and users of the HTTPS Everywhere will always use HTTPS when loading the website.

The questions that we should address are:

## Should we redirect any traffic to HTTPS, or only strongly encourage it?

Sending HSTS headers, converting all links to https://, or both, would move most traffic to HTTPS while still replying to legacy HTTP requests.

## What issues would a switch to HTTPS by default cause?

* @systemed is concerned that HTTPS connections are less reliable over bad links; to get something measurable and reproducible, I have asked him to test https://www.httpvshttps.com , which leverages http/2, the next time he's on a bad connection.
  * Can people with access to a bad connection try it out? Does anyone know of users for whom openstreetmap.org is reproducibly slower or less reliable over https?
  * Is this something that can be mitigated or improved on the OWG side, for example by enabling http/2 everywhere?

* petschge (who's on IRC but not on github) was at a private university in Germany in 2015 where a faulty proxy made https browsing impossible. A lot has happened since then: a lot of sites now use HSTS, and Wikipedia's 2015 switch might have forced them to fix it. Unfortunately, he's not in contact with them anymore, and can't confirm that the problem still exists.
  * Does anyone know of users who can't access openstreetmap.org over https at all?
  * A possible way of measuring this would be by including two identical tracker pixels on openstreetmap.org, one served over http and the other over https, and compare the hit counts after a week.

* People using legacy browsers would be locked out.
  * [SSLLabs says that this would break IE6 on XP and Java 6 users](https://www.ssllabs.com/ssltest/analyze.html?d=openstreetmap.org&latest). What percentage of users would that be?
  * This could also be something that a tracker pixel and a detailed analysis of the user agents in the logs could provide

## What issues would HSTS cause?

[HSTS breaks any site that accesses the OAuth API with http URLs](https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-258439266).

HSTS could also be selectively enabled, for example only for the http/2 enabled tile servers, which could make the loading of maps faster. Note that clients that are http/2 capable automatically upgrade to https when they connect to a http/2 capable server.

## What advantages would a switch to HTTPS by default bring?

A few so far:

- Easing the load on the servers if we can serve all content over HTTP/2
- Better security and privacy for everyone - see the reasons that drove Wikipedia to switch
- More reliable Referer headers - https pages don't send them to http pages by default

## What would technically need to be done to make the switch?

Many pieces of our infrastructure would probably need to be changed or configured differently. How much work would this be for the OWG?

## Considering the pluses and minuses, is it worth it?

Many of us, myself included, have (strong) opinions on this. I would like us to reach a decision based on measurable facts, and hypothetically review that decision if those facts change over time.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20161105/d37325a5/attachment.html>

More information about the rails-dev mailing list