0

I am developing a webapp that will run on a small computer in a bus which doesn't necessarily have connection to the world wide web. Passengers on the buss will be able to connect bus' wifi to use the webapp (router will automatically redirect user the the ip address of the webapp).

One of the features in the webapp, is to alert the user when they are nearing their destination. For that, I need the current location via HTML5 Geolocation api. The problem is, that Chrome is blocking that api on non-secure sites (sites that aren't https).

There is no login, no exchange of passwords or anything. Just a read-only site. So I really have no need for encrypting data. There's not much of a security effort/concern here.

I feel like it's a bit overkill having to use https, but even if that is so - is it even possible?

Inrego
  • 1,524
  • 1
  • 15
  • 25
  • It would be possible if you had www access in the bus WiFi hotspot. The workaround is to use Google Maps Geolocation API from within your web app. However seeing as you said that the bus WiFi doesn't necessarily have www, it seems you are SOL. See: https://developers.google.com/web/updates/2016/04/geolocation-on-secure-contexts-only#i_really_need_to_use_geolocation_what_should_i_do – n.abing Mar 27 '17 at 15:26
  • If you get an actual signed certificate, sure you can have "local" HTTPS. You can test that for free by creating a self-signed root certificate, make your device trust it, then create an SSL cert signed by that root and use it on the bus. In the actual scenario, the self-signed force-trusted root would be replaced by an already trusted CA whom you get your certificate from. – deceze Mar 27 '17 at 15:26
  • Having said that, it seems slightly weird that each device would have to use its own geolocation, when the server is actually on the physical bus and could keep track of its own location pretty easily with some simple hardware. – deceze Mar 27 '17 at 15:31
  • Yes we did also think about the possibilities of gps directly on the computer. But it is quite a large number of busses. So buying the hardware, installing it in all the busses, and development for it would be greatly more expensive than just using a simple html5 api that we thought to be possible. – Inrego Mar 27 '17 at 15:35
  • @deceze I read somewhere that CA providers stopped doing certs for local addresses. But I'm not sure if it's all of them or just most. – Inrego Mar 27 '17 at 15:56
  • That is indeed something you'd have to research, whether any CA is *willing* to give you the certificate. You also have to weigh the cost of the GPS hardware against the cost of the certs. And if the buses have GPS hardware, that may be much more useful for other purposes beyond this web server as well (fleet tracking…). – deceze Mar 27 '17 at 16:51
  • I read that they're not even allowed to give tthem out anymore. It has been deprecated – Inrego Mar 27 '17 at 20:55

0 Answers0