WebPOS and HTTPS
Google Chrome will disable Web POS offline mode for non-secure connections - Another reason why you should be using HTTPS
Google Chrome is undergoing some changes with some new restrictions on the usage of some web technologies. In Chrome 52, the AppCache functionality will be disabled for non-secure connections. When this happens, users will no longer have access to the Web POS when they are offline, unless they use HTTPS. We currently estimate that Chrome 52 will be released in less than two months.
Why is this happening? Isn’t this a harsh, or bold move?
As you may know, there has been a general movement for some time to gradually migrate most of the Internet services to secure connections. As part of this movement, Google has been gradually disabling many technologies, and starting with Chrome 50, which was released a few weeks ago, the AppCache technology is now officially deprecated on non secure connections, and Google estimates that it will be removed in about two months from now, when Chrome 52 is released.
Not using HTTPS leaves users vulnerable to several different types of exploits. This fact, together with multiple different cases of actual attacks suffered by high profile companies, has triggered several actions by most companies which create Web browsers to try to protect users and remove the ways these attacks can be initiated (you can check these three links for various examples).
The ApplicationCache is a powerful feature, which can be used to implement offline capabilities in web applications, but precisely due to the fact that it’s so powerful, it can also be used to implement harmful cross-side scripting attacks. Due to this, Google has decided to restrict the usage of this feature only to HTTPS connections, which guarantee their secure origin. Therefore, although it may sound harsh, it’s certainly understandable that they are making this change.
What are the practical implications for Openbravo for Retail users
The main implication is simple to explain: starting Chrome v52, the Web POS offline mode will no longer work unless HTTPS is used. This is due to the fact that the browser will miss the AppCache feature, which is required for the offline mode to work (as without this feature, the browser doesn’t have access to the source code needed to run the application).
This restriction is currently not fully implemented even in the latest prerelease version of the browser, but after analyzing the way the Chrome developer team plans to implement it, we have concluded that the Web POS itself should work correctly in online mode in plain HTTP connections without any further changes from our side. However, offline mode will be disabled, so if you lose Internet connection, you will no longer be able to access the application until the connection comes back.
It’s important to remember that in most environments, Google Chrome is updated automatically, so whenever this change is done, users will be immediately impacted by it. We currently estimate that it should happen in about two months. We have done this estimation based on the previous track record of Chrome releases, so it could happen even sooner than this.
Ok, so I need to use HTTPS. But I heard this is very complex, and expensive?
Using HTTPS is not very complex, although it’s certainly a little bit more difficult than using plain HTTP, and nowadays it’s not expensive at all (in fact, it can even be free!).
To use HTTPS you need a domain or sub-domain (which you most likely already have) and you also need an SSL certificate. In the past, certificates had to be bought, but nowadays there are companies such as Let’s Encrypt which can issue you a certificate automatically, and for free. You can check the main steps you would need to follow in their website, and you will see that they are quite simple, but if you need any help, our Support Team will be ready to help you.
We have documentation on how to activate HTTPS if you are currently using an Openbravo appliance (you can find information here).
If you don’t use an Openbravo appliance, there are many tutorials over the Internet which explain how this configuration is done, and our Support Team will be ready to help if you have any doubt.
Our Cloud solution works with HTTPS out of the box, and no additional configuration is necessary.
A final call for action
You should be taking this topic seriously today! The Web POS offline mode is a very important capability of the application, and critical for most users, so this is a perfectly valid reason to implement HTTPS in your systems.
However, even without this topic, you should be using HTTPS already. Using HTTP via any non trusted network (like the Internet) is fundamentally not secure, as you are exposed to a variety of security problems and attacks. Even if you don’t need the Web POS offline mode, or even if you don’t use the Web POS at all, you should consider using HTTPS. Hopefully, this will be the final push for our users to make the right decision. Implementing HTTPS is not very difficult, it’s not expensive, and it provides a great deal of value for you and your organization in terms of reduced security risks and headaches, so you shouldn’t even doubt about it.