VATSIM Virtual Airlines - Partner Policy Update, 2023.

[Antonio Dujmovic]

Dear VA Partners/Associates,

we have just published our updated VA Partner Policy, which will be in effect starting January 1st, 2023.

For the time being, these changes will only affect VATSIM Virtual Airline Partners, and will have no effect on VATSIM Virtual Airline Associates. VA Associates should expect similar changes for their respective policy in the near future, as we are working towards that as well. The current VA Associate Policy can be found here.

Most notable change in our policy update, is the Website Requirements. Starting January, Virtual Airline websites will be required to pass all traffic through the HTTPS protocol, instead of HTTP, which requires having an SSL certificate. Current partners and associates will have 6 months (or more as needed) to meet this requirement, and any new applicants will be required to meet it upon applying.

On this forum post, you will find most important changes written down below, and you can find the PDF document on the bottom that includes the full policy, that will be in effect starting January 1st, 2023, 0001z at https://vatsim.net/docs/policy/virtual-airline-partners.

 

Quote

3.2 Requirements.

Added:

3.2.9 Website requirements. In most cases, websites are used as gateways for pilots to interact with their VA accounts, which includes private data. We require all VAs to meet the following website requirements:

3.2.9.1 Websites are required to pass all traffic through the HTTPS protocol, instead of HTTP. This requires the website to have an SSL Certificate. Using an SSL Certificate on a website adds an extra layer of security and helps protect against attacks such as man-in-the-middle attacks, where an attacker intercepts and potentially modifies the data being transmitted between the client and server. It ensures that the data transmitted between the client and server is encrypted and cannot be intercepted by third parties. As a free alternative, we recommend using https://letsencrypt.org/.


Added:

Upon submitting an application, the applicant states that they are authorized to submit the application as a representative of the Virtual Airline in question.
Violating this term may result in disciplinary action against the applicant.

VAs may be eligible to have the activity requirement waived, if their Virtual Airline has >80% of their total flights on VATSIM.
 

 

Quote

5.0 BENEFITS AND RIGHTS.
5.1 Benefits.

Added:

5.1.7 Right to submit VA hosted events on our discord server, to have them publicized via VATSIM media, which includes advertising them on our events twitter, https://vatsim.net/events, and 700+ discord servers, including the official community server.

5.1.8 Right to submit up to 15 aircraft liveries to be included in the FS Live Traffic Liveries project. More information about FSLTL can be found here: https://www.fslivetrafficliveries.com

 As always, any and all feedback is very valuable and appreciated.

If you have any questions, concerns or comments regarding these changes, feel free to express yourself in the replies on the post, or on our Discord Server, where you can discuss the changes with us and other VA Staff Members. Alternatively, you may email [email protected] or [email protected].

Thank you for your time.

 

VAP_Policy_2023.pdf

Edited December 23, 2022 at 04:01 PM by Antonio Dujmovic
policy adjustment

[Luke Kolin]

What is the purpose of 3.2.9.2, and how do you define a "static" IP?

Cheers

[Trevor Hannant]

Why can't it be on a sub-domain?  Technically that means it can't be on www as this is a sub-domain

[Sean Harrison]

Didn’t we open a survey this week? Prior to this announcement!

[Taylor Broad]

4 hours ago, Luke Kolin said:

What is the purpose of 3.2.9.2,

This is one of the ways we're ensuring that when a VA is listed on our list, the website URL doesn't go dead because of a DNS issue. We have historically had issues on our VA list where the websites were offline when we checked them.

Dynamic IP addresses are, typically, used with residential internet or cloud resources where the virtual machine where they may only "boot it up" when people are flying.

The end goal of this is that we want to partner with communities have dedicated resources for their community. Good hosting shouldn't require a dynamic DNS setup to work correctly.

We also get an added security benefit, where we can store the community's static IP on our end and, if it was changed for some reason, we can remove it from the list. It's completely possible that a DNS account can be hacked to the point where IP address entries were changed and new SSL certificates were generated. We don't know per-say if we want to go in this direction or not, but the option is surely available.

Quote

 

and how do you define a "static" IP?

 

Static IP addresses are ones that don't change unless that change is initiated by the customer.

 

[Antonio Dujmovic]

3 hours ago, Sean Harrison said:

Didn’t we open a survey this week? Prior to this announcement!

Hi there! As Filippo mentioned on the new forums -- The survey has indeed been opened, and we will be looking through every single submission and taking notes from what we deem can be implemented and improved. However, these changes have been in planning for quite a while, and we have just now published them.

The timing was maybe a bit off, but regardless, the survey is not there just for the show, so I hope you can trust when I say that putting in a submission will not go to waste, and might just help!

[Taylor Broad]

4 hours ago, Trevor Hannant said:

Why can't it be on a sub-domain?  Technically that means it can't be on www as this is a sub-domain

www is a gimmie. We'd be fine accepting that. See: https://askleo.com/when-is-www-needed/

Basically, when setting up your DNS entries, typically 99.99% of the time, you'd put www and @ to the same server.

Now, I have seen www2 or other levels of subdomain routing, but typically that's reserved for staging websites, or other purposes.

What we're trying to prevent is an easy way to know if someone is using some sort of free hosting. Since there's thousands of these types of hosts on the internet using a myriad of domains, we didn't want to keep that on file.

As you can see in the policy, if there's a valid technical reason where you require a variance where your information website has to be hosted on a subdomain, reach out to me via a support ticket or email.

For the observers, and to be abundantly clear, your pilot interface doesn't apply to this policy. I know that some people run Wordpress on their main domain while they use phpVMS, VAOS, VAM, etc. on a subdomain. We want the publicly facing portion to be available on the main domain.

Edited December 22, 2022 at 09:00 PM by Taylor Broad

[Luke Kolin]

6 hours ago, Taylor Broad said:

This is one of the ways we're ensuring that when a VA is listed on our list, the website URL doesn't go dead because of a DNS issue. We have historically had issues on our VA list where the websites were offline when we checked them. Dynamic IP addresses are, typically, used with residential internet or cloud resources where the virtual machine where they may only "boot it up" when people are flying.

You are overthinking this. Availability and accessibility is perfectly legitimate, and you should focus on that. Once you start getting into making value judgments as to DNS providers or IP allocation you start getting on very questionable ground and likely to make mistakes. Is the site available and reachable via HTTPS? Great.

(FWIW, mandating HTTPS is an excellent idea. Leverage that.)

6 hours ago, Taylor Broad said:

We also get an added security benefit, where we can store the community's static IP on our end and, if it was changed for some reason, we can remove it from the list.

This is exactly the questionable ground I was referring to. The entire reason we have DNS is because IP addresses are ephemeral, implementation details. Address resolution is never a security mechanism - that's why we have HTTPS and trusted certificate authorities. If I change my dynamically allocated, ephemeral elastic IP address for one of a variety of perfectly good reasons, I shouldn't need to worry that VATSIM is going to delist my VA because they are unclear on how the internet works.

Stop worrying about DNS names, hosting providers, how much you think someone is paying or other pre-conceived notions of what acceptable hosting should be. Make it simple. If the URL is available over HTTPS, you're fine.

Luke

Edited December 23, 2022 at 02:51 AM by Luke Kolin

[Patrick Tinner]

17 hours ago, Taylor Broad said:

Static IP addresses are ones that don't change unless that change is initiated by the customer.

 

You are aware that many Hosting Provider don't offer a static IP in a shared hosting environment? The chance that an IP might change is very rare but it might happen. I work for a hosting company and IP changes for example when changing a product, upgrading the server etc.

[Antonio Dujmovic]

13 hours ago, Luke Kolin said:

You are overthinking this. Availability and accessibility is perfectly legitimate, and you should focus on that. Once you start getting into making value judgments as to DNS providers or IP allocation you start getting on very questionable ground and likely to make mistakes. Is the site available and reachable via HTTPS? Great.

(FWIW, mandating HTTPS is an excellent idea. Leverage that.)

This is exactly the questionable ground I was referring to. The entire reason we have DNS is because IP addresses are ephemeral, implementation details. Address resolution is never a security mechanism - that's why we have HTTPS and trusted certificate authorities. If I change my dynamically allocated, ephemeral elastic IP address for one of a variety of perfectly good reasons, I shouldn't need to worry that VATSIM is going to delist my VA because they are unclear on how the internet works.

Stop worrying about DNS names, hosting providers, how much you think someone is paying or other pre-conceived notions of what acceptable hosting should be. Make it simple. If the URL is available over HTTPS, you're fine.

Luke

 

2 hours ago, Patrick Tinner said:

You are aware that many Hosting Provider don't offer a static IP in a shared hosting environment? The chance that an IP might change is very rare but it might happen. I work for a hosting company and IP changes for example when changing a product, upgrading the server etc.

Hi guys! Taylor and I have spoken through this once again after taking a better look at your feedback, and we agree with the points you made.

Due to that fact, we have decided to pull out that section out of the website requirements, however, we will be keeping the HTTPS (SSL) requirement at this time. The forum post has been edited, policy document replaced with the most up to date one, and our partners will be notified of this change, as the policy goes live on the 1st of January, 2023.

This is very much appreciated, and we thank you for the feedback! :)