Imagej.net HTTP blanket redirect to HTTPS

https

#1

All unencrypted HTTP links on the ImageJ wiki now redirect to HTTPS. E.g., http://imagej.net/ goes to https://imagej.net/. Hopefully this will alleviate the login issues some people have been experiencing.

This is an experiment to see whether there are any adverse issues. Please complain on this thread if it causes you problems.

There are several other domains (e.g., http://fiji.sc/) which I would like to blanket redirect to HTTPS. However, please note that there are some subdomains which, for technical reasons, cannot be made to blanket redirect. In particular, Java has issues communicating with HTTPS URLs using Let’s Encrypt, the certificate authority used by imagej.net sites; see this SO post for technical details. So at least the following subdomains will continue to support [1] unencrypted HTTP for the foreseeable future: update.imagej.net, update.fiji.sc, sites.image.net, wsr.imagej.net, samples.fiji.sc.

[1] Of course, “support” here does not mean prefer. It is certainly the goal to make ImageJ use HTTPS with the updater whenever possible. It’s just that when using HTTPS is infeasible e.g. because the Java version is too old, falling back to HTTP needs to remain possible (along with a warning to the user about security!).


Exception when updating Fiji
#2

@ctrueden there seems to be a problem: Exception when updating Fiji

I actually have the same problem.


#3

Thanks @tibuch. I added http://imagej.net/List_of_update_sites as an exclusion. I hope this fixes the issue.

Edit: There were still issues; I reverted the blanket redirect for the time being. :disappointed:


#4

@ctrueden @tibuch The template

hard-codes HTTP links for Fiji and ImageJ downloads but should instead hard-code HTTPS links. I created a new account for myself (my old one is dead) but cannot edit this template.

On another note, when can we expect default HTTPS support for Fiji update sites? I just found that all update sites in my Fiji distribution are still listed as HTTP links. Do HTTPS links work? I am asking because we were thinking about providing our stack of n5-related tools and libraries as a Fiji update site but we will not do this over HTTP because it is too dangerous for users.


#5

I am not sure it’s related but could it explain the recent travis failure to release pom-scijava 19.1.0 ? See https://github.com/scijava/pom-scijava/pull/55#issuecomment-359545791


#6

Thanks for noticing that, @axtimwalde. I fixed it.

As discussed, this is because Fiji ships with 1.8.0_66 which is too old to support Let’s Encrypt certificates.

Yes, they should work if the version of Java is 1.8.0_101 or later. Feel free to try it.

Achieving that will require additional code in the ImageJ Updater component and related infrastructure, as discussed on the earlier thread:

It could be as simple as a hack to replace http://sites.imagej.net with https://sites.imagej.net across the board when the version of Java being used is new enough (see above).

I have no bandwidth to work on it during the first half of 2018, but perhaps it is something which could be tackled at MPI-CBG as part of @fjug and @tomancak’s Fiji maintenance work. Or of course your group or anyone interested is welcome to work on it.

If you create an N5 update site on sites.imagej.net, you can certainly list it on the List of update sites page with https:—the PTBIOP site already does that. Just be aware that users with Java older than 1.8.0_101 will not be able to enable your update site successfully unless the infrastructure work discussed above is done.

I think that is an unrelated problem.