Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Warning - new go site to amigo query #101

Closed
lpalbou opened this issue Oct 21, 2018 · 6 comments
Closed

Security Warning - new go site to amigo query #101

lpalbou opened this issue Oct 21, 2018 · 6 comments
Assignees
Labels
bug Something isn't working enhancement New feature or request

Comments

@lpalbou
Copy link
Contributor

lpalbou commented Oct 21, 2018

During the meeting, Pascale pointed me to a security warning she had when searching for something in the "Search GO term or Gene Product" bar:

screen shot 2018-10-21 at 6 42 12 pm

After looking around, I found the issue: GitHub pages deploys the site in https (as it should) but amigo is only deployed in http, hence this warning stating we'll be sending data to an unsecured website. This warning didn't exist for the old geneontology.org because it was also deployed on an unsecured http.

@kltm @cmungall could amigo be deployed in https ? It would also mean that all golr services be deployed in https. IMHO, any reusable service should always be deployed in https as they are otherwise not accessible from other secured endpoints.

@lpalbou lpalbou added the enhancement New feature or request label Oct 21, 2018
@lpalbou
Copy link
Contributor Author

lpalbou commented Dec 5, 2018

Note: this is also true when launching an enrichment analysis as pantherdb is also http. Pantherdb is being rewritten but to avoid this issue to delay the release of the new site, I propose we just deploy it on S3/Cloudfront for the time being. Then, when everything is ready, we can always switch back to deploy on GitHub pages (only https). One disadvantage of that is that we'll need to redeploy manually the site whenever changes are made on the pages (unless we use a webhook). @kltm your opinion ?

@kltm
Copy link
Member

kltm commented Dec 5, 2018

S3/Cloudfront is a viable way forward. There is no need for manual deployments, which should be avoided--anything that needs credentials can be orchestrated through a build pipeline. That said, I feel like we've been changing targets faster than we can make progress on any one of them, which is somewhat counterproductive. As we still need to have the root domain handled by a proxy, I think we should just see how much progress there is over the next week.

@suzialeksander
Copy link
Collaborator

This hasn't changed yet, still encountering this pop up.

@lpalbou lpalbou added the bug Something isn't working label Jan 25, 2019
@lpalbou
Copy link
Contributor Author

lpalbou commented Jan 25, 2019

I tag this issue as a bug as this is affecting usability. Meanwhile, the site is deployed in http.

@kltm
Copy link
Member

kltm commented Feb 5, 2019

To catch this ticket up, initially, we were going to upgrade the AmiGO/GOlr servers to accept HTTPS so that there was not the downgrade warning. However, it looks like the PANTHER site, which has similar issues, will not be ready for a couple of months regardless, so we'll just keep HTTP for now, no HTTPS.

TL;DR: Current test.geneontology.io is now http-only, with https waiting in the wings.

@kltm kltm closed this as completed Feb 5, 2019
@kltm
Copy link
Member

kltm commented Feb 5, 2019

Further SSL work can be the old geneontology/go-site#53

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants