Run iShare under HTTPS
Introduction
As of October 2016 all central government web services underpinning www.gov.uk are required to run under HTTPS (rather than HTTP), such that all traffic between the user’s web browser and the web server is encrypted.
Whilst this mandate does not extend to local authority websites at present, it is a best practice that many public sector bodies are following as it prevents the potential interception of data (i.e. so called ‘man in the middle’ security attacks) by third parties.
As our customers may wish to run iShare Maps and associated embedded maps under HTTPS, this page provides guidelines on how to change an iShare Maps implementation to run under HTTPS.
Why use HTTPS
HTTPS provides critical security and data integrity both for your websites and for the people that entrust your websites with their personal information. The encryption within HTTPS means that only your browser and the server can decrypt the traffic. This is why you should always protect your websites with HTTPS, even if they don’t handle sensitive communications.
HTTPS protects the integrity of your website
HTTPS helps prevent intruders from tampering with the communications between your website and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies that inject advertisements into pages.
Intruders exploit every unprotected resource, such as images, cookies, scripts etc. that travels between your website and your users. Intrusions can occur at any point in the network, including a user’s machine, Wi-Fi hotspot etc.
HTTPS protects the privacy and security of your users
HTTPS prevents intruders from being able to passively listen in on the communications between your websites and your users. Every unprotected HTTP request can potentially reveal information about the behaviours and identities of your users as intruders can, by looking at their browsing activities, make inferences about their behaviours and intentions.
Considerations prior to changes
It will be necessary to configure iShare for HTTPS if services and maps are to be used in conjunction with a website which itself runs under HTTPS. iShare can be run under HTTP and HTTPS simultaneously so it can be implemented in stages.
- It is normally fairly simple to configure a recently installed or new iShare site, but the process can be a little more involved for longer standing sites as any customisation may need to be considered such as use of our iShare Web Services. Please contact Astun Technology via the Support Portal if you require any assistance with this process.
- iShare sites that use Workspaces/ dual-languages (e.g. English and Welsh) will need individual IIS SSL certificates for each site.
Step-by-step guide
Your IT team should undertake the following tasks:
- Configure the SSL certificate(s) in IIS
- IIS > Server Certificates > Import... or Complete Certificate Request if you have had to create a certificate request.
- IIS > Server Certificates > Import... or Complete Certificate Request if you have had to create a certificate request.
- Configure bindings for the site(s)
- IIS > Web Site > Bindings > Add Site Binding: select Type https and then pick the SSL certificate e.g.
- IIS > Web Site > Bindings > Add Site Binding: select Type https and then pick the SSL certificate e.g.
- If you are using Workspaces then you need to edit the iShareMaps.xml to contain the new Web URL overrides - see Override Configuration & Map Source Settings.
- If you are a Single site, and v5.2.8 or below, then you will need to update the WebURL under the Web category in the iShare Master Settings so that it uses HTTPS (e.g. iShare Settings > Master Settings > Web > WebURL)
Mixed content warnings
- Use web browser developer tools to find mixed content (elements of the page being server via HTTP)
- Change links within templates to HTTPS - Otherwise the end user will get a warning about mixed HTTP and HTTPS content. These could be resources such as CSS, JavaScript and images. If you have specified HTTP in an href or src then you will need to remove the HTTP.
If the browser is viewing the page through HTTPS, then it will request any asset (href, src etc.) with the HTTPS protocol. By removing the HTTP this prevents the "This Page Contains Both Secure and Non-Secure Items" error message in IE, thus keeping all your asset requests within the same protocol.
Considerations after configuration changes
IIS Redirect - Customers should consider setting up an IIS redirect as per http://stackoverflow.com/questions/46347/iis7-http-https-cleanly to ensure customers with bookmarks to their HTTP URL are redirected to their HTTPS URL.