HTTPS configuration broken

[Marnick L'Eau]

I'm looking for a webservice that can provide country flags for a browser addon I've made. geonames seems to be a great choice, assuming I automatically have or can ask for permission to integrate them. There's just 1 problem: your HTTPS configuration is broken.

Your website runs on the domain geonames.org and defaults to http. Trying to switch to https displays a browser error because your https cert is configured for *.geonames.net. Changing the url to http(s) geonames.net redirects the request back to geonames.org. TLDR: your https cert is for geonames.net and your website is set up to force all requests to go geonames.org with http only.

Could this please be fixed?

Cheers

[Marc Wick]

Hi Marnick

The api services are listed here:
http://www.geonames.org/export/ws-overview.html
There is no webservice at geonames.org.


Best Regards

Marc

Marnick L'Eau wrote:
> I'm looking for a webservice that can provide country flags for a
> browser addon I've made. geonames seems to be a great choice, assuming I
> automatically have or can ask for permission to integrate them. There's
> just 1 problem: your HTTPS configuration is broken.
>
> Your website runs on the domain geonames.org and defaults to http.
> Trying to switch to https displays a browser error because your https

> cert is configured for *.geonames*.net*. Changing the url to http(s)

> geonames.net redirects the request back to geonames.org. TLDR: your
> https cert is for geonames.net and your website is set up to force all
> requests to go geonames.org with http only.
>
> Could this please be fixed?
>
> Cheers
>

> --
> You received this message because you are subscribed to the Google
> Groups "GeoNames" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to geonames+u...@googlegroups.com
> <mailto:geonames+u...@googlegroups.com>.
> To post to this group, send email to geon...@googlegroups.com
> <mailto:geon...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/geonames.
> For more options, visit https://groups.google.com/d/optout.

[Marnick L'Eau]

Well, I was counting the webhosting of the country flags as a service: http://www.geonames.org/flags/x/

Can they be used for display in browsers by my addon?

Either way though, your https cert is incorrectly configured since it's for .net while your site runs on .org :P

[Marnick L'Eau]

My point stands by the way. All those services are offered from the geonames.org domain. The incorrect https certificate applies to all of them.

On Saturday, 4 November 2017 19:59:05 UTC+1, Marc Wick wrote:

[Marc Wick]

> Well, I was counting the webhosting of the country flags as a
> service: http://www.geonames.org/flags/x/

This is not a service.

> Can they be used for display in browsers by my addon?

No.

Marc

>
> Either way though, your https cert is incorrectly configured since it's
> for .net while your site runs on .org :P
>
> On Saturday, 4 November 2017 19:59:05 UTC+1, Marc Wick wrote:
>
> Hi Marnick
>
> The api services are listed here:
> http://www.geonames.org/export/ws-overview.html
> <http://www.geonames.org/export/ws-overview.html>

> There is no webservice at geonames.org <http://geonames.org>.

>
>
> Best Regards
>
> Marc
>
> Marnick L'Eau wrote:
> > I'm looking for a webservice that can provide country flags for a
> > browser addon I've made. geonames seems to be a great choice,
> assuming I
> > automatically have or can ask for permission to integrate them.
> There's
> > just 1 problem: your HTTPS configuration is broken.
> >

> > Your website runs on the domain geonames.org <http://geonames.org>

> and defaults to http.
> > Trying to switch to https displays a browser error because your https
> > cert is configured for *.geonames*.net*. Changing the url to http(s)

> > geonames.net <http://geonames.net> redirects the request back to
> geonames.org <http://geonames.org>. TLDR: your
> > https cert is for geonames.net <http://geonames.net> and your

> website is set up to force all

> > requests to go geonames.org <http://geonames.org> with http only.

> >
> > Could this please be fixed?
> >
> > Cheers
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "GeoNames" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send

> > an email to geonames+u...@googlegroups.com <javascript:>
> > <mailto:geonames+u...@googlegroups.com <javascript:>>.

> > To post to this group, send email to geon...@googlegroups.com

> <javascript:>
> > <mailto:geon...@googlegroups.com <javascript:>>.

> > Visit this group at https://groups.google.com/group/geonames

> <https://groups.google.com/group/geonames>.

> > For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

[Barry Hunter]

On 4 November 2017 at 20:03, Marnick L'Eau <marnic...@gmail.com> wrote:

Well, I was counting the webhosting of the country flags as a service: http://www.geonames.org/flags/x/

Hmm, that sounds more like hotlinking than a webservice. 

Download the flags once, and bundle them with the app, or find your own hosting (that you pay for). 

Countries dont really change often enough that you need a 'live' API for them. 

[Marnick L'Eau]

Ok then, thanks for the response

[Richard Gibson]

I just ran into the certificate mismatch as well. What would it take to either expose the resources via HTTPS under geonames.net, or get proper certificate(s) for geonames.org and appropriate subdomains (it seems like one already exists for secure.geonames.org)?

[Marc Wick]

Hi Richard

Do you also want to steal bandwidth? Or what is your special usecase?

This thread is actually giving the very reason why not to change
anything - or at the contrary it gives reason to make access more
difficult.
We have hundreds of requests per second to the flag images from apps not
related to geonames and we do have to take measure to block these
requests or send them to nirvana.

Best Regards

Marc

Richard Gibson wrote:
> I just ran into the certificate mismatch as well. What would it take to
> either expose the resources via HTTPS under geonames.net, or get proper
> certificate(s) for geonames.org and appropriate subdomains (it seems
> like one already exists for secure.geonames.org)?
>
> On Saturday, November 4, 2017 at 4:22:04 PM UTC-4, Marnick L'Eau wrote:
>
> My point stands by the way. All those services are offered from the

> geonames.org <http://geonames.org> domain. The incorrect https

> certificate applies to all of them.
>
> On Saturday, 4 November 2017 19:59:05 UTC+1, Marc Wick wrote:
>
> Hi Marnick
>
> The api services are listed here:
> http://www.geonames.org/export/ws-overview.html
> <http://www.geonames.org/export/ws-overview.html>

> There is no webservice at geonames.org <http://geonames.org>.

>
>
> Best Regards
>
> Marc
>
> Marnick L'Eau wrote:
> > I'm looking for a webservice that can provide country flags
> for a
> > browser addon I've made. geonames seems to be a great choice,
> assuming I
> > automatically have or can ask for permission to integrate
> them. There's
> > just 1 problem: your HTTPS configuration is broken.
> >
> > Your website runs on the domain geonames.org

> <http://geonames.org> and defaults to http.

> > Trying to switch to https displays a browser error because
> your https
> > cert is configured for *.geonames*.net*. Changing the url to
> http(s)

> > geonames.net <http://geonames.net> redirects the request back
> to geonames.org <http://geonames.org>. TLDR: your
> > https cert is for geonames.net <http://geonames.net> and your

> website is set up to force all

> > requests to go geonames.org <http://geonames.org> with http

> only.
> >
> > Could this please be fixed?
> >
> > Cheers
> >
> > --
> > You received this message because you are subscribed to the
> Google
> > Groups "GeoNames" group.
> > To unsubscribe from this group and stop receiving emails from
> it, send
> > an email to geonames+u...@googlegroups.com
> > <mailto:geonames+u...@googlegroups.com>.
> > To post to this group, send email to geon...@googlegroups.com
> > <mailto:geon...@googlegroups.com>.
> > Visit this group at https://groups.google.com/group/geonames

> <https://groups.google.com/group/geonames>.

> > For more options, visit https://groups.google.com/d/optout

> <https://groups.google.com/d/optout>.

[Richard Gibson]

I would like to maintain an up-to-date list of countries and their associated codes from at most three hosts, and have confidence that the responses were not altered by any man in the middle. Standard HTTP If-Modified-Since and/or If-None-Match headers can protect your bandwidth.

To unsubscribe from this group and stop receiving emails from it, send an email to geonames+unsubscribe@googlegroups.com <mailto:geonames+unsubscribe@googlegroups.com>.
To post to this group, send email to geon...@googlegroups.com <mailto:geonames@googlegroups.com>.

[Marnick L'Eau]

Marc, I understand your stance that you dont want geonames to be used as such a service, and I think Richard does too. Neither of us is trying to hotlink the flags. All both of us are saying is that your https cert is misconfigured, which is a bad thing in and of itself that should be corrected. Just go to geonames.org, change the protcol to https (as many people do automatically today with browser settings or addons), and watch the site fail the https security validation.

[Barry Hunter]

Standard HTTP If-Modified-Since and/or If-None-Match headers can protect your bandwidth.

That would predicate that the 'client' even has a client side cache (and/or a an intermediate proxy). If there is no cache, those headers wont help anything. 

... and also that the problem is 'repeat' download. Even a client downloading them once (particular if tries to download all 200+ countries) in quick sucession, uses bandwidth. 

Such headers wont help lots of differnet users downloading. 

Plus from the experience the 304s dont really save all that much bandwidh, for small files, the TCP and HTTP header overhead, make the actual bandwidth consumption of 304s not that much smaller anyway. Typically its the large number of requests that are an issue, not the actual bandwidth consumption anyway. Serving a 304 usually requires a checking the origin file anyway. 

If there was a 'cache' available, a far futures Expiry data would work better away, the flags dont really change and dont need repeated validation. 

Seems to be you moaning about Geonames not providing a service (files served of proper TLS connection), that it doesnt want to provide. 

Try searching for country flags on 

https://cdnjs.com/libraries

there is some available there. Comes with (free) hosting provided by cloudflare, looks like https enabled too. 

 

 

 Neither of us is trying to hotlink the flags.

So what are you doing then? 

If you weren't trying to download the flags over https, you wouldn't 'care' that the certificate is wrong. 

 

which is a bad thing in and of itself that should be corrected. 

Why? Marc already mentioned its (at least partly) deliberately broken

... to make geonames unattractive to users trying to download files from geonames owned servers. 

 

[Marc Wick]

Thanks Barry for your patience explaining how things are.

I can think we can close the tread with this as all services and
functions are available over ssl anyhow. If something got forgotten then
whoever spots it may start a new thread please.

Best Regards

Marc

> Why? Marc already mentioned its (at least partly) /deliberately /broken
>
> ... to make geonames /unattractive /to users trying to download files
> from geonames owned servers.
>