traccar-client-android icon indicating copy to clipboard operation
traccar-client-android copied to clipboard

Published 20 hours ago verified publisher icon traccar

SSL issues

Open oliv3 opened this issue 6 years ago • 12 comments

https://github.com/traccar/traccar-client-android/blob/64687b26c21bf4dfed56eae2be7f3afd8a1495f6/app/src/main/res/xml/network_security_config.xml#L3

  1. Why is it so ?
  2. Why doesn't demo.traccar.org support SSL ?
  3. Also, why is there no HSTS on demo.traccar.org ?

oliv3 avatar Sep 07 '18 10:09 oliv3

  1. Because by default Traccar uses HTTP.

For other questions the answer is because no-one had time to configure that.

tananaev avatar Sep 07 '18 11:09 tananaev

  1. and 3. are not a problem for the client per se, I was just asking because traccar.org does. Is that planned ? Just asking again, not a problem to me. I'd just never use demo.traccar.org because of privacy issues.

The problem is 1.: What about adding a prompt if the user sets up (by mistake) an http:// URL when the domain does support https ? So that the base URL would be fixed to use https:// if HSTS is not set up. (With HSTS you'd get a 301).

Should be easy to add I think, anything against that ?

oliv3 avatar Sep 07 '18 11:09 oliv3

It's not really a client issue. Server should be configured with redirect.

tananaev avatar Sep 07 '18 11:09 tananaev

Seems like demo. is not, whereas the main site is. Should be an easy fix for the admin. The point here is to warn the user he/she could switch to https when the server allows both HTTP and HTTPS, and HSTS is not set up. Which might happen.

oliv3 avatar Sep 07 '18 11:09 oliv3

I'm against it because it would create quite a bit of extra code (potential risk and maintenance cost) for a very small value to the end user. Remember that it would have to be implemented for iOS as well, if we decide to go with it.

tananaev avatar Sep 07 '18 11:09 tananaev

Always forget that, right. I'll leave this open for now until someone is interested in doing the iOS part. Privacy concerns should matter, though.

oliv3 avatar Sep 07 '18 11:09 oliv3

I agree that they should, but server side is a better way of handling this. By the way, it would be nice if we could somehow enable HTTPS on the server side and automate it.

tananaev avatar Sep 07 '18 11:09 tananaev

Well, deploy the server behind a reverse proxy that handles the SSL termination ? Simple and works just fine.

oliv3 avatar Sep 07 '18 11:09 oliv3

That's the solution that we have at the moment, but Traccar can potentially handle HTTPS by itself.

tananaev avatar Sep 07 '18 11:09 tananaev

You'd have to move all the SSL logic in the server, certificates, CAs, all that burden.

it would create quite a bit of extra code (potential risk and maintenance cost)

oliv3 avatar Sep 07 '18 12:09 oliv3

Yes, that's why we haven't done it yet, but there is a potential need for it. Apple and Google have been pushing for HTTPS-only for some time now, so eventually they might disallow plain HTTP completely or make it very inconvenient for end user. In that case it would be nice to have a easy to setup support for it. One of the main reasons for Traccar success is the ease of installation and use. Even someone without technical knowledge can do it.

tananaev avatar Sep 07 '18 12:09 tananaev

Of course aggreed.

oliv3 avatar Sep 07 '18 12:09 oliv3