Adding a best practice to use HTTPS... or at least have good SSL health?

[evansiroky]

Describe the problem

Some transit agencies may still use HTTP request methods to serve GTFS files. Other times, so agencies may have a SSL certificate with bad health. Both of these items may cause problems for data consumers where the request is rejected due to lack of a secure enough connection.

Use cases

This would happen when data is being requested using HTTP or HTTPS.

Proposed solution

Add a best practice that recommends using HTTPS with good health of the SSL certificates.

Additional information

I'm assuming this is very obvious to some people, but it does happen out in the wild.

[themightychris]

Potential health checks could include:

• Uses a widely accepted root certificate
• No broken intermediate certificate chain
• Not expiring within the next ~2 weeks (this would generally indicate a broken or forgotten renewal process as popular automated renewal systems will keep them updated 30 days out)

[skinkie]

-1 There is absolutely no reason why a secure connection should be required to download a feed. Making the data directly uncachable.

[paulswartz]

@skinkie can you say more about how using a secure connection would impact caching?

[leonardehrenfried]

There is nothing in the specs that prevents caching of assets fetched over HTTPS and browsers have been caching them for over 10 years: https://stackoverflow.com/questions/174348/will-web-browsers-cache-content-over-https

If you want to be doubly sure, you can add a cache-control: public header.

[skinkie]

@skinkie can you say more about how using a secure connection would impact caching?

No corporate proxy is able to cache secure content without adding mitm-certificates.

[leonardehrenfried]

@skinkie can you say more about how using a secure connection would impact caching?

No corporate proxy is able to cache secure content without adding mitm-certificates.

Didn't have you down as the sort of person who actually wants their ISP or employer to fiddle with their HTTP traffic. You learn something every day.

[skinkie]

1. I am personally against every effort that allows bigcorp CDN's to be the only remaining option to offload traffic. Because that is actually want happened with the https-only policies. This had nothing to do with "security".
2. I have seen first hand what a fruit company among us did with respect to downloading or GTFS file every single minute from multiple IP addresses in their range, not a single HEAD issued. And then noticed there are corporate users downloading via proxies to offload the change detection to something else.
3. For distribution of resources like GTFS, other technologies like IPFS could also significantly reduce the burden of producers making this data available, typically for free and without paywalls.

[westontrillium]

If it is decided to designate HTTPS usage as a best practice, it may be good to also include in that guidance a unified recommended approach on cert management; that aspect may be particularly challenging for smaller producers.