It’s hardly news, as Oracle REST Data Services (ORDS) 18.4 has been out for a while, but I thought I would mention a couple of things related to it.
First off, we’ve upgraded (almost) all of our ORDS installations to 18.4 at work. I say almost because we’ve got a couple of 11.2 databases that don’t work consistently with anything newer that ORDS 3.0.12, so they aren’t being touched until we’ve upgraded the databases. This is how I typically do the upgrades.
In February Google released a post about Chrome 68, due for release in July, which will increase the pressure to adopt HTTPS for all websites because of this behaviour change.
Basically HTTP sites will be marked as insecure, rather than just getting the (i) symbol.
Recently I’ve seen a bunch of sponsored posts talking about this in an attempt to sell certificates. GoDaddy are pushing the advertising hard. I just wanted to remind people there is a free alternative called Let’s Encrypt you might want to consider.
I’ve been using HTTPS for a few years now, but over a year ago I switched to using the free Let’s Encrypt service to get my certificates and so far I’ve had no problems. I wrote about this in a blog post here. That links to this article about using CertBot to automate the certificate renewal, which includes the Apache HTTP Server config.
I always run Oracle REST Data Services (ORDS) under Tomcat, so this is how I HTTPS enable ORDS. If you would prefer to run ORDS in standalone mode, but still want to use a real certificate Kris Rice has your back with this article.
Of course, you shouldn’t be having direct traffic to Tomcat servers or standalone ORDS services you care about. They should be sitting behind some form of reverse proxy, or a load balancer acting as a reverse proxy, which is performing the SSL termination. In my company, we have the real certificates on the load balancers, which perform the SSL termination, then re-encrypt to speak to the services below them.
In general I think the push towards HTTPS is a good thing, but I do have a few reservations.
There are plenty of sites, like my own, that don’t really do anything that requires encrypted connections. You are just there to read publicly available stuff. Marking them as insecure seems a little stupid to me. Update: As pointed out in the comments, it does make it harder for people to intercept and change the information during transit.
A bigger beef is the fact that anything with a valid HTTPS certificate is marked as “Secure”. If you work in IT you understand this just means the connection is secure, but what does it mean to other people? I could understand it if some people thought it meant it was a safe website to visit, when it means nothing of the sort. If HTTPS is the new “normal”, I think the browser should stop marking it as secure, and only flag when it is insecure. Update: It seems this is going to change (here). Thanks to Gary for pointing this out.
It worries me that Google can make this decision and the rest of the world has to jump. This all started when they began to alter index ranking based on the presence of HTTPS, which is why I first enabled HTTPS on my website about 4-5 years ago I think. Now the Chrome market share of about 60% is such that they can make big changes like this without having to get buy in from the rest of the world. The motives are good, but I don’t like it.
I’m not saying you shouldn’t pay for certificates. My company still does. I’m just saying you have a choice, especially if it is something that you do for fun like this website. In this case the free option is always the good one. 🙂
Oracle REST Data Services (ORDS) version 3.0.10 was released last week. In addition to a bunch of bug fixes it was the first release to include the Auto PL/SQL feature.
Auto PL/SQL is similar to the AutoREST feature available for tables and views, but it allows you to enable PL/SQL objects for Remote Procedure Call (RPC) over HTTP(S). At this point you might be asking yourself what the difference is between REST and RPC over HTTP and I explain that here. Regardless of whether it is REST or not, it’s a nice convenience feature that I’m sure some people will find useful.
Over the weekend I went full on down the rabbit hole, which resulted in this article.
There are a number of issues with the current release and the docs for it, all of which have been fed back to the relevant parties, but on the whole I think it’s a neat first step.
My preference is still to define conventional ORDS RESTful web services rather than use this feature, but Auto PL/SQL may be just what some others are looking for and it’s always good to have options! 🙂
As far as the 3.0.10 release generally, I upgraded 4 non-prod installations to this release, all actively used for fronting APEX and RESTful web services and nobody has had a problem yet. 🙂
If you are yet to experience the joys of ORDS you can read the articles I’ve written about it here, as well as an introduction to JSON here.