Thousands of public Web GIS services are worthless for enterprise consumption, but there is a simple cure. These increasingly worthless sites are configured without TLS (HTTPS) support. Frequently, the operators of the sites are unaware that their lack of TLS support restricts the consumption of their services.
The issue is that enterprise implementations of Portal for ArcGIS and/or ArcGIS Online typically enforce requiring TLS for their own services to ensure their information is encrypted while in transport. If the geospatial enterprise wants to mash-up an external service, the external service also needs to utilize TLS, otherwise end users can receive mixed content messages and/or failures to display information.
The Cure: If you have a GIS service that you want to share with other organizations (or the public) always ensure that you are at least providing TLS as an option. In other-words, your GIS services should be provided via HTTPS only, OR provide end-users the choice of HTTP/HTTPS (Never HTTP only).
SSL / TLS: I’m sure some people are scratching their heads about our discussion here of TLS (as opposed to SSL), and you will continue to see the terms used interchangeably in documentation and presentations; however to be clear SSL v3 was pronounced dead last year, with the announcement of the IT industry-wide POODLE SSL vulnerability. Starting with the ArcGIS 10.3 release, Esri disabled SSL v3 for their web services and moved to utilizing only TLS to support the secure operations of our customers.
Check endpoints: We recommend checking your secure web endpoints for alignment with best practices (such as disabling SSL v3). An easy way to check a site exposed to the Internet is with the Qualys SSL Labs Server Test – just type in the domain name of interest. Another benefit of this tool is that you can quickly validate whether or not services you are utilizing are vulnerable to the latest SSL/TLS issue in the media, such as FREAK from just last week, a quick check of ArcGIS Online’s domain of arcgis.com shows that the vulnerable RSA_Export cipher suites are NOT utilized, and therefore ArcGIS Online is NOT vulnerable.
Call to action: Please do your part to help by checking your services and spread the word – Ask operators of any HTTP only services to at least add HTTPS as an option. A summary of ArcGIS for Server security best practices is available on the Trust site along with references to documentation for how to enable HTTPS.
The days of providing an HTTP only GIS service ends today, doing this is a key enabler of the Web GIS vision!
– The Security Standards & Architecture Team