Streetcomplete: Use HTTPS for all connections

Great points!

What do you think about additionally adding a small note / paragraph in "Location" that due to the contributions in OSM the actual positions you likely visited a very easily identifiable, even correlated with time. People should be aware of that.

Good idea, although this is clear to me it could be useful to make the user aware of it. It has less to do with this issue, however.

Well, I only have one of those shitty staple webspaces. You absolutely have a point though, I will look into whether they (hosteurope) offer https soon at a reasonable price.

Yep, sry for breaking the thread off-topic. Shall I open a new issue for it?

Maybe ask them for simple and automated "let's encrypt" support?

Shall I open a new issue for it?

Yes, just do it.

Maybe ask them for simple and automated "let's encrypt" support?

Indeed. Many hosting providers nowadays integrate LE and offer HTTPS for free. If not, switch to a different one or so. HTTPS should be built-in and providers not offering it do not deserve to be supported.

@westnordost do you know uberspace.de? good place, cheap price and very very nice team

If you just want to host static files you can even do it for free with the successor of geocities: neocities. Naturally supporting HTTPS… :smiley:

Actually I am currently in the process of moving to a new webhoster (last week already), but at the new webhoster there are various configuration problems. So many, that I am right now not sure if I need to go to yet another one, we will see if the support is able to solve all of those.
(If it were just my blog on http://www.westnordost.de the move would be swiftly over, but I have another website http://www.openclonk.org on my webhost account that needs to be moved as well. And this is basically a forge with wiki, blog, forum, bugtracker and many other custom scripts)

Hmm… you could of course also host your non-static sites on another hoster…

But BTW, nice game (clone)! :smiley:
But there HTTPS is even more important as you distribute binary data there, which could be tampered with.

It's not a clone. The engine is a further development of the original Clonk Rage engine when it got open sourced. For the most part, the people working on OpenClonk are actually the same people who before worked on the other Clonk titles.

Ah, okay thanks for the info. It's even better then…
But to get back to this issue, did you finally found a hoster or what is your current plan?

Any news? Note that for free static file hosting (and even HTTP/2 for what's it worth) you can use https://neocities.org/. :smile: (in case you missed it)

Or do you want to use the txt file accesses to do some statistics and estimate the user base of this app?

Yeah I actually bought a new webspace already but there where intially so many problems with it that I stopped the migration and postponed it to later when I have the motivation again.

What about hosting it inside the repo (this or a separate one)?
For example: https://raw.githubusercontent.com/westnordost/StreetComplete/master/gradlew

I see two benefits:

• you get "https" for free, no setup needed
• it's easy to update and it's version controlled

You can also use Github Pages with custom domain and HTTPS enabled (using Cloudflare), or just put some kind of CDN in front of the page with the "banned" list, that will give you ssl for free: https://www.cloudflare.com/ssl/

You can also use GitHub Pages without a custom domain, then you have HTTPS out of the box. 😄

True :)
I just thought that maybe @westnordost would like to have the url on some domain who is under his control, as an alternative to all the raw.githubusercontent.com/github.io/etc. so he could switch place of hosting this file without changing app source code.

Attention: News incoming.

Android P will be disabling HTTP connections in apps (by default, opt-out possible)! https://android-developers.googleblog.com/2018/03/previewing-android-p.html

A request to http://www.westnordost.de/streetcomplete/banned_versions.txt
currently makes a temporary http redirect (302) to wint.global, which (I think) is not desired.

Uh, wtf. That seems to be the hoster or so.
Maybe the domain expired, @westnordost??

Because it also happens at the main domain: http://www.westnordost.de

Edit: I've mailed @westnordost in order to notify him.

whois reports some changes recenlty:

Domain data
Domain westnordost.de
Latest update 30.03.2018

This is the same day @westnordost assigned this ticket to himself
Domain holder and admin contact name and surname still matches the one of @westnordost, so it looks it is still in the right hands.

Technical contact and zone admin is _WINT.global GmbH_, likely a hosting provider.

Uh, I am stupid. Of course the mail server is also not available, so my mail to …@westnordost.de could of course also not reach him. :laughing:

could of course also not reach him

sometimes mailserver is different to webserver, even if its the same domain, so it could have worked though :)

But true, not working here: https://de.ssl-tools.net/mailservers/westnordost.de

https://www.westnordost.de/streetcomplete/banned_versions.txt 🎉

Something went wrong during the domain name transfer, so westnordost.de including my email address was not reachable over Easter and beyond. It looks like it is fixed now.

What is interesting is, that now one after another, the emails from the last days start to arrive. Not all at once, but a few minutes another email.

What is interesting is, that now one after another, the emails from the last days start to arrive. Not all at once, but a few minutes another email.

This is normal SMTP behaviour - when the sender server fails to reach the target server it will keep retrying in increasing intervals until the sending server succeeds or finally gives up (normally in few days) and notifies the sender with an error report message. Depending on how long your mail server was misconfigured and how long the senders were trying you might have lost some messages. https://tools.ietf.org/html/rfc5321#section-4.5.4

Also did you all notice one thing? HTTPS is there! So this is fixed!

…okay, only the URL in StreetComplete still needs to be changed, I think.

@rugk, oh, that I overlooked, tnx for pointing it out!

@westnordost, it might still be worth considering putting banned_versions.txt into github hosting as suggested by @prmtl in https://github.com/westnordost/StreetComplete/issues/63#issuecomment-367682750 for the following reasons:

• transparency (full audit log, other people with git commit access can change it if needed)
• stability (github has better uptimes, as experienced with the recent private domain outage)
• privacy (app's "call-home" feature might be seen less scary if it is not exactly calling home but some more neutral, generally trusted 3rd party service)

Nah, I want to keep independent of github and use it just as a forge. Now that the connection is https, though, it is more difficult to follow why and what the app calls home. Personally, I'd find it worse though if an app calls home to github than to the personal domain of the app author.
But since it is all open source, it's all not a problem.

Also for the "StreetComplete quest"/survey thing we might need connections to the personal sever of @westnordost anyway in the future, BTW.

Why not store this file in the git repo, just downloading it from GitHub from the version with the tag currently installed? 🤨