SSL issues

[oliv3]

https://github.com/traccar/traccar-client-android/blob/64687b26c21bf4dfed56eae2be7f3afd8a1495f6/app/src/main/res/xml/network_security_config.xml#L3

1. Why is it so ?
2. Why doesn't demo.traccar.org support SSL ?
3. Also, why is there no HSTS on demo.traccar.org ?

[tananaev]

1. Because by default Traccar uses HTTP.

For other questions the answer is because no-one had time to configure that.

[oliv3]

2. and 3. are not a problem for the client per se, I was just asking because traccar.org does. Is that planned ? Just asking again, not a problem to me. I'd just never use demo.traccar.org because of privacy issues.

The problem is 1.: What about adding a prompt if the user sets up (by mistake) an http:// URL when the domain does support https ? So that the base URL would be fixed to use https:// if HSTS is not set up. (With HSTS you'd get a 301).

Should be easy to add I think, anything against that ?

[tananaev]

It's not really a client issue. Server should be configured with redirect.

[oliv3]

Seems like demo. is not, whereas the main site is. Should be an easy fix for the admin. The point here is to warn the user he/she could switch to https when the server allows both HTTP and HTTPS, and HSTS is not set up. Which might happen.

[tananaev]

I'm against it because it would create quite a bit of extra code (potential risk and maintenance cost) for a very small value to the end user. Remember that it would have to be implemented for iOS as well, if we decide to go with it.

[oliv3]

Always forget that, right. I'll leave this open for now until someone is interested in doing the iOS part. Privacy concerns should matter, though.

[tananaev]

I agree that they should, but server side is a better way of handling this. By the way, it would be nice if we could somehow enable HTTPS on the server side and automate it.

[oliv3]

Well, deploy the server behind a reverse proxy that handles the SSL termination ? Simple and works just fine.

[tananaev]

That's the solution that we have at the moment, but Traccar can potentially handle HTTPS by itself.

[oliv3]

You'd have to move all the SSL logic in the server, certificates, CAs, all that burden.

it would create quite a bit of extra code (potential risk and maintenance cost)

[tananaev]

Yes, that's why we haven't done it yet, but there is a potential need for it. Apple and Google have been pushing for HTTPS-only for some time now, so eventually they might disallow plain HTTP completely or make it very inconvenient for end user. In that case it would be nice to have a easy to setup support for it. One of the main reasons for Traccar success is the ease of installation and use. Even someone without technical knowledge can do it.

[oliv3]

Of course aggreed.