Earlier last month Esri published a blog post titled Prepare for Next Major ArcGIS Online Security Advancement Now. I have to admit when I first read it; I didn’t pause for long – thinking it was related to another recent web-security related change by Esri – the switch to TLS 1.2
If your eyes are glazing over already, hang in there. There was more to this post than I first thought, and it’s something you should be thinking about now if you’re administering an ArcGIS Online organisation that has been in place for some time. To be specific, if you created your ArcGIS Online site before September 2018, then you should read on.
What’s going to happen in 2020 is that ArcGIS Online will no longer work with external references to resources that use HTTP in the referring URL. Only HTTPS references will be supported. This is the way the web is moving and Esri is simply following best practice.
If you created your ArcGIS Online organisational after September 2018, then you will have been subject to this restriction from the get-go and won’t have a problem (it has been the default position since that time). If the organisational site is older than that, then there’s a chance you could have these less secure references to resources lurking in your web maps, web scenes and other items. If you do nothing, a bunch of things may stop working at some point in 2020, and you’ll be scurrying to try and fix them in a hurry.
For any of you utilising Story Maps you may have already encountered this. In 2018 the Story Map team implemented HTTPS only compliant web apps. This meant not only did the story map have to be secured with HTTPS but also any referenced site in a story map also had to be secured in the same fashion. In 2020 ArcGIS Online in its entirety will follow suite. Details on that earlier Story Map change here.
How would you know you’ve got a problem to solve? Esri has created a tool called the ArcGIS Online Security Advisor that will scan all the items in your organisation, looking for the issue. You’ll need to be logged in as an administrator of the organisation to do this. The HTTP Check component of that tool is in Beta right now with new capabilities being added regularly.
It can’t directly fix the issues because a simple replacement of HTTP with HTTPS in the reference may not work if the target server doesn’t support HTTPS. However, it will give you the feedback you need to go triage each of the problems it flags.
A typical scenario that could impact many users is where a GIS service is coming from an older version of ArcGIS Server and added as an item to an ArcGIS Online organisation. That older ArcGIS Server version would have allowed the specification of just HTTP, or both HTTP and HTTPS when exposing services.
Here’s an example. Way back, I created a web map in my ArcGIS Online organisation that refers to the Australian Coastal Sediment Compartments web service from GeoScience Australia. The link here is for the HTTPS version (since this is all about best practice), but when I created that map, I used the HTTP version. Both forms are currently supported by the GeoScience Australia GIS Server.
The map displays the GA map service on top of the Esri Oceans basemap and works fine. Come 2020; this won’t be the case. If I use the beta HTTP Check tool in the ArcGIS Online Security Advisor, it picks up two problems with the web map.
In scanning the web map item, it detected that I have the URL of the GA web service in the Description. While that won’t break the map when HTTP is no longer supported, it still needs attention given the resource it refers to will change.
The second pickup by the tool was the actual URL to the GA service in the JSON data describing the web map.
Equally, if you’ve created items in your portal that refer to resources coming from external sources – say a web service from an external agency that you collaborate with, then you may come up against the same issue if they’re using HTTP.
When you interact with a web site that doesn’t use HTTPS to encrypt traffic these days, you get to know it. It’s no longer just a small broken padlock icon – mainstream browsers are now calling it out and telling you that the site is not secure. That’s a good thing, and Esri is just doing its part to ensure web security best practices are adhered to.