REST: Add SSL support (https) to REST-API

[deinhofer]

The ARE REST-API and the underlying webserver currently only support http (no SSL encryption).

This should be changed to support https by default for the following reasons:

• There might be sensitive data transferred between the ARE and a web UI
• AsTeRICS Ergo grid and the WebACS will be hosted on platforms with https. Hence, they will have to connect to the ARE from there. This is restricted by some browsers as there would be mixed content (https and http) on one web page.

Solution

A self-signed certificate should be sufficient, as we only have to ensure that the mixed content problem is circumvented. Nevertheless here is an idea of how we could use a CA-trusted certificate for e.g. localhost.asterics-foundation.org

[klues]

regarding (1), sensitive user data: to my mind this is not that much of a problem because normally the workflow will be like: a) user loads webpage with areCommunicator.js javascript file b) In javascript the ARE REST-API is used this means: the communication between webpage and ARE REST API only happens between the local javascript in the browser and the ARE on localhost. Therefore the data never leaves the own computer and it should be no problem at all for sensitive data being transfered. It would be different if a webapp would access another ARE in the local networt, e.g. 192.168.0.10. However any browser will restrict this access and therefore we also do not need SSL for it.

regarding (2): Chrome and Edge seem to have no problem to connect to http:/localhost from a https://webapp. However in FF there seems to be a bug preventing these type of connections, see https://bugzilla.mozilla.org/show_bug.cgi?id=1376310 I've commented and upvoted this bug, lets hope it will be fixed soon.

Summary: I think currently the only real benefit of implementing SSL for the ARE REST API would be that the AsTeRICS Ergo Grid (probably) could access an local ARE in Firefox afterwards. For other browsers it would not be a real benefit.