Stepping up security
In late 2016, NCBI dropped support for HTTP requests and restricted their web resources to HTTPS. EBI went HTTPS by default in October 2017 and UniProt has announced that it will go HTTPS-only in June 2018. The UniProt change will cause a problem with Database Manager in older versions of Mascot. This article summarises the effects of turning off HTTP, so that you can decide whether a software update is required.
Web browsing
Web browsing is unaffected. When an NCBI, EBI, or Uniprot server receives an HTTP request, it redirects the request to HTTPS. All popular web browsers are able to respond automatically, and will switch to HTTPS.
This applies to certain links in Mascot result reports. For example, Peptide and Protein View reports contain links to perform a BLAST search at NCBI. This loads a BLAST search form in a new web browser window. In Mascot Server 2.5.1 and earlier, the link will be HTTP, but this will redirect to HTTPS automatically with no loss of information. The same applies to the taxonomy browser link in a Protein View report.
Full annotation text
In some cases, the full annotation text displayed in a Protein View report comes from an external URL. For NCBI databases, the report script calls a utility called efetch. The Perl library used by the script does not handle redirection automatically, so the URL must be specified as HTTPS to succeed. The URLs for all preconfigured databases are correct, but calls will only succeed for Mascot Server 2.6.0 and later. With earlier versions, the code assumed external calls would always use port 80. If the annotation text is only available via an HTTPS call, it will be missing from the report, whether the URL is entered as HTTP or HTTPS. The affected databases are NCBI nr and the NCBI EST divisions.
If EBI goes HTTPS-only, the same will apply to EMBL EST divisions, where the report script tries to get full text from the emblfetch utility. At this time, HTTPS is the default but HTTP is still supported by EBI.
If and when UniProt turns off HTTP, this will prevent Mascot Server 2.5 and earlier getting full annotation text for Trembl, UniRef100, and UniProt proteomes. SwissProt is not affected provided it is configured with a local full text file (the DAT file).
The work around for Mascot 2.5 and earlier is to retrieve the full text in a separate browser window. Copy and paste the accession into the search field for NCBI, EBI, or UniProt.
File downloads in Database Manager
If a file is only available via HTTPS, current releases of Database Manager are not able to download it. Trying to save an HTTPS download URL in Database Manager gives the error message: Can’t locate object method "file" via package "URI::https"
This isn’t a problem right now because the NCBI, NIST, and EBI file repositories use FTP protocol. It will become a problem for Fasta files created using a query, such as UniProt proteomes, when HTTP is not available. To address this, we will release a patch for Mascot Server 2.6 in the next few weeks, before UniProt turns off HTTP. This patch (2.6.2) will be posted on the Mascot Server 2.6 support page as soon as it is released.
The work around for Mascot 2.5 and earlier will be to download files that are only available via HTTPS manually, using a web browser, and copy them to the appropriate directory on the Mascot Server.
Keywords: database manager, HTTPS, security, SSL