Ancestry.com Does Not Support Encryption


#1

I am having difficulties with my own website, which is encrypted, because now all of my links to Ancestry.com are broken because Ancestry.com, the largest genealogical website on the planet, and holder by their own admission of BILLIONS of records about individuals, refuses to encrypt communications with its customers. The only information they have about HTTPS on their site is instructions on how to turn OFF the default secure settings of all current browsers. I have spoken with both their support and executive response teams. I have written multiple e-mails. All I get is the standard drone “We will forward this to our technical team.” I keep insisting that this is not a technical issue it is a business issue, but I cannot get through to them that it is unacceptable to NOT encrypt your clients’ information.


#2

So all your links are broken because you linked to the wrong protocol? IOW, if they don’t support https, and you linked to https://ancestry.com/whatever, and now the link is broken, that sounds like your fault, not theirs. And what does this have to do with Let’s Encrypt at all, and specifically with the ISRG/Organizational category you assigned to this post?


#3

No the links from my site are http://ancestry.com links. However modern browser block “mixed active content” so all of these links are broken because I cannot replace them with valid https: links because Ancestry has, for reasons it refuses to discuss, failed to support https. I am trying to find a community that will help me convince Ancestry to support https so that the information exchanged with all of their MILLIONS of customers will be protected. Ancestry holds personal data on literally billions of individuals, according to their own advertising. That private information, including critical information such as birth dates and social security numbers, is exposed if Ancestry communications are not encrypted.


#4

“Mixed active content” is content that has access to the DOM of the page (scripts, css, etc), not merely a hyperlink to another site. So are you embedding their content in your page? Or are you talking about hyperlinks; I’m pretty sure those won’t break.

That’s not necessarily true; they’d have to be transmitting the information of those billions of individuals over those unencrypted connections in order for them to be vulnerable merely by HTTP.

I know some Ancestry.com employees, I’ll see if I can put in a word. But complaining about it here will probably not do any good.


#5

Ancestry has chosen to hide the images which it has on its site behind a javascript user interface, so when all I want to do is include a link to an image on the Ancestry site instead of a link to a jpeg or a png, which would not be mixed active content, I have to include a link to a script that fiddles around in the DOM, and that link uses http rather than https because Ancestry has chosen not to implement a trivial mechanism for protecting the information during transmission. I am simply setting the src attribute of an iframe at Ancestry’s url, and the browsers (all of them) block the request. I have no problem with links to images on sites such as www.familysearch.org, which uses https, or collectionscanada.gc.ca which provides access to jpegs, just with Ancestry because it does neither.

Any time that any client of Ancestry looks at information which that client is authorized to look at, using the privacy mechanisms of Ancestry, that private information is transmitted in the clear. There is no good reason for transmitting that private information in the clear but Ancestry has chosen for reasons which it has not explained to NOT take the elementary precaution of encrypting the transmissions, even though doing so means that it has to educate its users in how to turn OFF browser security. Moreover every query reveals information about the requester, which is presumably why search engines use https even though the information which is returned is not itself private.

I am just trying to find a community that I can join to raise this issue. Obviously the best community would be among Ancestry.com clients, since they are the ones whose privacy is being violated, but it is understandable that Ancestry does not provide any mechanism by which such a focus group can be established using its facilities. So I am, in essence, advertising to a number of communities of people who understand the value of encrypting web communications, in hopes that someone will direct me to a more appropriate forum.


#6

They actually “support” HTTPS in terms that they have a wildcard from Thawte for the whole *.ancestry.com (and for example support site responds over https, even though with mixed content). But they do redirect from HTTPS to plain HTTP on www, which I find rather bizarre.

I think pre-parsing JS to pull links to the images or even fetching the images to later serve them over HTTPS might be an easier and faster route for you than trying to force them to switch. That is unless they have some special T&C provisions regarding using their images that might prevent you from doing something like this.


#7

Thank you.

There are no links to the images within Ancestry’s pages. So there is nothing that I can extract from the pages to store. Ancestry’s javascript draws the images directly. I would have to scrape the bit patterns off the page and reconstruct an image file from them. Ancestry requires an account for access to the images and therefore reasonably requires that everyone must access them through the site to verify that access is paid for before the images are displayed. It is also reasonable that they require their logos and other acknowledgements be presented along with the image. It would clearly be a violation of the license agreement if I provided an access method that bypassed Ancestry’s security.

For the moment when I cannot reference the URL from the iframe tag I display a page that permits opening the insecure URL in a new window. For example go to: https://www.jamescobban.net/database/CensusForm1921.php?Province=&District=103&SubDistrict=4&Division=&Page=1 and click on “Display Original Census Image”. Compare that to: https://www.jamescobban.net/database/CensusForm1901.php?Province=&District=89&SubDistrict=A&Division=1&Page=1 which is able to reference a jpeg on a public site directly, or https://www.jamescobban.net/Canada/BirthRegDetail.php?RegDomain=CAON&RegYear=1901&RegNum=25812 which loads an image viewer from www.familysearch.org using https. Note that when I do display a jpeg from the net I include a thank you to the original provider. I also have images which I personally scanned from original documents in some cases.

My primary objective is to find a community of individuals who feel that the privacy of their communications with all web services deserve to be protected.


#8

Well you’ve found one. :slight_smile:

With regards to the images, maybe you could just proxy requests for the Ancestry resources through your own TLS-enabled server, then your site doesn’t have to load over HTTP directly from the third party.