What practical difference does it make if I connect to an Australian weather forecast site via HTTP or HTTPS? Is the NZ secret police gonna MITM a rain forecast my way when it's actually gonna be a very sunny day?
A government site has implicit authority. You could use that implicit authority to make a scam look more authentic. It also will have a lot of traffic; a lot of opportunities for the scam to work if you do manage to get in the middle.
For example, inject a dialog box that says "Our records indicate your taxes were not paid this year! Before you can view the weather you must click here and log in to resolve this issue!".
Aside from browsing history, privacy implications, some ISPs insert adverts, into the HTML - possibly opening up the user, to drive by browser exploits…
The reality is, it’s not complicated to add HTTPS, as a feature, so there’s no good reason as to why it’s not implemented - aside from incompetence, or trying to save money, on staff?!
Employees on the inside using the data cruncher to mine bitcoin isn't a HTTPS issue - given these chancers were caught it appears the BOFH functioned uncorrupted and reported their illicit cycles.
They make an (easily made) mistake on that page: the encrypted version of FTP is not SFTP, but FTPS. SFTP is an entirely different protocol based on SSH.
Back in 2013-15 I was fortunate enough to know some people at BoM, specifically done IT people.
Their off hand comment around why BOM didn't have https was due to the amount of overhead and infrastructure changes needed to make that https change.
Fast forward to 2018ish they recently created a new API, and a new website. Https://Weather.bom.gov.au with https enabled!
(which I now have integrated into a raspberry pi and an eink display for my morning weather).
For whatever (archaic) reason the new weather webui is now defunct but the api still exists, uses https, and as far as I know supports their mobile applications.
All it would take is for some ISPs here to mitm the traffic with ads / junk and maybe they would change it. The upside to this story is that it is currently a great site to visit for captive portal detection.
It depends on your provider though. I can tell from experience that with OVH and their API, it's been easy to set up the automatic renewal via DNS verification. Apparently, the official client has support for the DNS API of 159 providers: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Well, credit where it’s due: given the number of disparaging statements about cryptography made by Australian politicians, it seems they actually practice what they preach.
The fact that this is on a .gov.au makes it a bit more attractive to targeted MITM attacks, I would think, given a government site's position of authority.
Controverse opinion: Why do I need https when looking for the weather forcast. Https is blindly thrown on everything. If the data is public and no login or personal/sensitive data is involved why do I need https?
> If the data is public and no login or personal/sensitive data is involved why do I need https?
Do you care about if the data actually comes from your weather forecasting service and was not tampered with by a third party? Then you need https as well.
A different example: a podcasts website I've seen was served over http, and someone argued the same (data is public, no login). The page contained an IBAN for donations. That would be a valuable target to replace as an MitM.
What happens when a site you really do need and have HTTPS on (your bank, say) has a cross-site request forgery vulnerability, and someone plops an exploit script on that non-HTTPS site you visit? With crafty enough hackers, your savings just got wired to a foreign country.
The entire internet needs to be HTTPS to protect against stupid security decisions made long ago that we can’t undo now in the name of backwards compatibility.
The rationale, such as it is, is that BoM serves current and historic weather parameters for various parts of Australia and hasn't seen any need to ensure that be delivered in a secure manner to individual web users.
There might be some hypothetical scenario from faking weather data and injecting it to fool the casual user but that seemingly hasn't come up in practice and so they don't fuss about it.
On the flip side, for those interested in RAW downloads from MODIS and other sats relevant to the weather, to ground station raw data transfers, to modelled predictions under various assumptions for commercial | military | government use etc ... BOM has secure login and bulk data transfer protocols, and has had those for at least 30+ years (morphing with time).
NZ feels behind Australia in most ways. But in this area we're ahead. It's slightly insane to me a country as wealthy as yours still has this sort of thing going on.
Honestly, I think every third-party involved in transporting http traffic should do the public a service and replace the transmitted data with some cat images or whatever else. Every unencrypted connection should be messed with so that there cannot be accidental unencrypted transmission of sensitive data, just in case.
kspacewalk2|2 years ago
Strilanc|2 years ago
For example, inject a dialog box that says "Our records indicate your taxes were not paid this year! Before you can view the weather you must click here and log in to resolve this issue!".
paleface|2 years ago
The reality is, it’s not complicated to add HTTPS, as a feature, so there’s no good reason as to why it’s not implemented - aside from incompetence, or trying to save money, on staff?!
geek_at|2 years ago
See: why are free proxies free https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...
mike-cardwell|2 years ago
chmod775|2 years ago
You tell me why http is bad now.
verve_rat|2 years ago
akdor1154|2 years ago
fowl2|2 years ago
L_226|2 years ago
What about when they wasted $220k [1] on rebranding but ended up scrapping it?
[0] - https://www.itnews.com.au/news/asd-reveals-how-the-bureau-of... [1] - https://www.abc.net.au/news/2022-10-19/bureau-meteorology-re...
cjs_ac|2 years ago
[0] https://www.abc.net.au/news/2018-03-08/bureau-of-meteorology...
defrost|2 years ago
pophenat|2 years ago
http://www.bom.gov.au/catalogue/anon-ftp-hints.shtml
matrss|2 years ago
slowbdotro|2 years ago
Their off hand comment around why BOM didn't have https was due to the amount of overhead and infrastructure changes needed to make that https change.
Fast forward to 2018ish they recently created a new API, and a new website. Https://Weather.bom.gov.au with https enabled! (which I now have integrated into a raspberry pi and an eink display for my morning weather).
For whatever (archaic) reason the new weather webui is now defunct but the api still exists, uses https, and as far as I know supports their mobile applications.
All it would take is for some ISPs here to mitm the traffic with ads / junk and maybe they would change it. The upside to this story is that it is currently a great site to visit for captive portal detection.
auxesis|2 years ago
For over a decade the BOM themselves ran ads on their website:
https://www.governmentnews.com.au/online-ads-now-permanent-f...
https://web.archive.org/web/20230605202001/http://www.bom.go...
They appear to have stopped the practice in June 2023:
https://web.archive.org/web/20230515000000*/http://www.bom.g...
davidbanham|2 years ago
AFAIK the only way to programatically obtain bom data is the awful ftp endpoint.
JonathanBeuys|2 years ago
If letsencrypt would offer wildcard certificates with their url based authentification as they offer for non-wildcard certificates, it would be ok.
But having to tinker with the DNS infrastructure for each project which wants to use domain wide HTTPS is so much hassle.
lgeorget|2 years ago
8organicbits|2 years ago
NL807|2 years ago
pwdisswordfishc|2 years ago
gia_ferrari|2 years ago
dottjt|2 years ago
exikyut|2 years ago
ulrischa|2 years ago
matrss|2 years ago
Do you care about if the data actually comes from your weather forecasting service and was not tampered with by a third party? Then you need https as well.
A different example: a podcasts website I've seen was served over http, and someone argued the same (data is public, no login). The page contained an IBAN for donations. That would be a valuable target to replace as an MitM.
mplewis9z|2 years ago
The entire internet needs to be HTTPS to protect against stupid security decisions made long ago that we can’t undo now in the name of backwards compatibility.
harrymit907|2 years ago
la_oveja|2 years ago
einpoklum|2 years ago
ksaho|2 years ago
defrost|2 years ago
There might be some hypothetical scenario from faking weather data and injecting it to fool the casual user but that seemingly hasn't come up in practice and so they don't fuss about it.
On the flip side, for those interested in RAW downloads from MODIS and other sats relevant to the weather, to ground station raw data transfers, to modelled predictions under various assumptions for commercial | military | government use etc ... BOM has secure login and bulk data transfer protocols, and has had those for at least 30+ years (morphing with time).
LAC-Tech|2 years ago
springah|2 years ago
LAC-Tech|2 years ago
matrss|2 years ago
FpUser|2 years ago
aaron695|2 years ago
[deleted]