Images URLs should be https, rather than http

[murraycu]

This is really an issue for the people running the servers rather than the people developing the web client code. However:

The AWS S3 server's SSL/TLS support is apparently not as good as it could be.

This is a (slight) problem for app code running on iOS9, such as my ios-galaxyzoo app in progress. It's apparently a known problem with AWS S3, and it's apparently fairly easy to fix on the servers:
http://stackoverflow.com/a/32627003/1123654

Even though I can workaround it in my iOS app, it seems like something that should be fixed for general security reasons.

[willettk]

@astopy?

On Thu, Sep 24, 2015 at 1:27 PM Murray Cumming [email protected]
wrote:

This is really an issue for the people running the servers rather than the
people developing the web client code. However:

The AWS S3 server's SSL/TLS support is apparently not as good as it could
be.

This is a (slight) problem for app code running on iOS9, such as my
ios-galaxyzoo app in progress. It's apparently a known problem with AWS S3,
and it's apparently fairly easy to fix on the servers:

http://stackoverflow.com/questions/32500655/ios-9-app-download-from-amazon-s3-ssl-error-tls-1-2-support

Even though I can workaround it in my iOS app, it seems like something
that should be fixed for general security reasons.

—
Reply to this email directly or view it on GitHub
#228.

[murraycu]

Actually, I now see that the main problem for iOS is that the image URLs really are http rather than https. For instance:
http://www.galaxyzoo.org.s3.amazonaws.com/subjects/decals/standard/J214413.38-005656.5_standard.jpeg

They can be served via https just by changing the protocol in the URL:
https://www.galaxyzoo.org.s3.amazonaws.com/subjects/decals/standard/J214413.38-005656.5_standard.jpeg

But that's not going to work as long as the certificate is self-signed. It might also have the amazon S3 SSL/TLS problem anyway.

[adammcmaster]

It’s not that the cert is self-signed, it’s just not valid for that domain name. If you can transform the URLs to the following format then you should be able to access them without any certificate errors:

https://s3.amazonaws.com/www.galaxyzoo.org/subjects/decals/standard/J214413.38-005656.5_standard.jpeg

On 24 Sep 2015, at 19:42, Murray Cumming [email protected] wrote:

Actually, I now see that the main problem for iOS is that the image URLs really are http rather than https. For instance:
http://www.galaxyzoo.org.s3.amazonaws.com/subjects/decals/standard/J214413.38-005656.5_standard.jpeg http://www.galaxyzoo.org.s3.amazonaws.com/subjects/decals/standard/J214413.38-005656.5_standard.jpeg
They can be served via https just by changing the protocol in the URL:
https://www.galaxyzoo.org.s3.amazonaws.com/subjects/decals/standard/J214413.38-005656.5_standard.jpeg https://www.galaxyzoo.org.s3.amazonaws.com/subjects/decals/standard/J214413.38-005656.5_standard.jpeg
But that's not going to work as long as the certificate is self-signed. It might also have the amazon S3 SSL/TLS problem anyway.

—
Reply to this email directly or view it on GitHub #228 (comment).

[murraycu]

Thanks.

Then ideally the server should provide those URLs via the REST queries, I guess. For instance, in results for queries such as this:
https://api.zooniverse.org/projects/galaxy_zoo/groups/55db71251766276613000001/subjects?limit=4

Then it would be fixed for all clients.

The server code is not open source, I believe, so not something that I can fix here on github.

[adammcmaster]

Unfortunately those URLs are hard-coded in the MongoDB records, so it’s not something we can easily mass-update.

On 25 Sep 2015, at 07:50, Murray Cumming [email protected] wrote:

Thanks.

Then ideally the server should provide those URLs via the REST queries, I guess. For instance, in results for queries such as this:
https://api.zooniverse.org/projects/galaxy_zoo/groups/55db71251766276613000001/subjects?limit=4 https://api.zooniverse.org/projects/galaxy_zoo/groups/55db71251766276613000001/subjects?limit=4
Then it would be fixed for all clients.

The server code is not open source, I believe, so not something that I can fix here on github.

—
Reply to this email directly or view it on GitHub #228 (comment).

[murraycu]

How are those URLs generated? Maybe this can be corrected when the database records are created for the next survey subjects.

[adammcmaster]

Yes, agreed. They’re generated by a script which creates the records, so we can set them differently for any future subjects.

On 26 Sep 2015, at 19:16, Murray Cumming [email protected] wrote:

How are those URLs generated? Maybe this can be corrected when the database records are created for the next survey subjects.

—
Reply to this email directly or view it on GitHub #228 (comment).

[murraycu]

Is this script in github somewhere?

[adammcmaster]

No, I don’t think it’s available anywhere unfortunately.

On 17 Oct 2015, at 10:23, Murray Cumming [email protected] wrote:

Is this script in github somewhere?

—
Reply to this email directly or view it on GitHub #228 (comment).