The Bureau of Meteorology website does not support connections via HTTPS
bom.gov.auWhat practical difference does it make if I connect to an Australian weather forecast site via HTTP or HTTPS? Is the NZ secret police gonna MITM a rain forecast my way when it's actually gonna be a very sunny day?
A government site has implicit authority. You could use that implicit authority to make a scam look more authentic. It also will have a lot of traffic; a lot of opportunities for the scam to work if you do manage to get in the middle.
For example, inject a dialog box that says "Our records indicate your taxes were not paid this year! Before you can view the weather you must click here and log in to resolve this issue!".
Aside from browsing history, privacy implications, some ISPs insert adverts, into the HTML - possibly opening up the user, to drive by browser exploits…
The reality is, it’s not complicated to add HTTPS, as a feature, so there’s no good reason as to why it’s not implemented - aside from incompetence, or trying to save money, on staff?!
> some ISPs insert adverts, into the HTML - possibly opening up the user, to drive by browser exploits…
Just like some sites insert adverts in web pages, "possibly opening up the user, to drive by browser exploits…"
It's just dangerous because any party on the way between wifi and the server can edit the content
See: why are free proxies free https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...
In the same way as walking to the bank is dangerous because any party on the way can rob you on the way?
I regularly visit: www.bom.gov.au/<mystate>/forecasts/<mytown>.shtml
It either shows me the forecast or it doesn't.
To date it's always worked - if one day it doesn't I might have to look out of a window.
> In the same way as walking to the bank is dangerous because any party on the way can rob you on the way?
To make this analogy more fitting, you'd also need a big sign around your head "going to do some banking, carrying all necessary credentials, cannot tell legitimate bank from fake bank".
Still not a great analogy though.
> In the same way as walking to the bank is dangerous
It could be if anyone could make their shop look exactly like a real bank branch.
Imagine a major weather event is coming and a warning banner shows on the weather site telling you to stay off the roads. But some carelessly injected ad covers it, or the injected CSS makes it unreadable. You don't see it and suffer a crash.
Government communications should not be subjected to arbitrary modification by intermediaries. Ad injection on HTTP is (or at least was, when unencrypted HTTP was popular) common. It also raises the concern that the ad will appear to have government sponsorship, which invites scams and other malvertising.
A government agency should seek to communicate information with the public, especially safety information, via an untamperable communication channel.
It's the BoM site, in Australia.
As a site its considerably less authorative than you seem to believe; people get weather warnings here in Australia from the TV, from the radio, from apps on their phones, from looking outside and seeing weather fronts rolling in.
Few people actually directly visit the BoM site, those that do are generally long time users familiar with the site using the usual array of adblockers and noscript, unlikely to fall for "Click here" injection attacks, and more likely to have a direct fibre | line connection to a major ISP to BoM with little chance for malicious injection in any case.
The risks are understood and doomsday scenarios have yet to occur after nearly 40 odd years online as a non https site.
You can sign in to this website. If you do, your password has been sent over clear text. People re-use passwords across sites.
Here's where people from Australian military intelligence sign-in: http://reg.bom.gov.au/defence/
You tell me why http is bad now.
My android phone was redirected to an https endpoint.
If the first request is plaintext, the request can be intercepted before you ever get the redirect, inserting a trojanised login page instead.
Nah, the NZ secret police is too busy removing NZ from maps so no one can find us.
I feel like all police in NZ are secret police because I never see any out in the street anymore.
Now you mention it, I only really see police cars around here - quite rare to see police walking.
I guess this is an effect of having built a digital panopticon. As pretty much everything we do leaves a digital trace and as one is oblivious to being observed (with observation potentially occurring in the future as automated agents run over data) the potential scrutiny changes behaviour. And that in turn allows for a decrease the number of police required to be physically present.
I wonder if you could mitm an HSTS header.. short term dick move but might raise enough of a stink for it to be fixed..? I can only dream.
HSTS headers are only respected on HTTPS connections
Remember when BoM was pwned [0] by a foreign intelligence service?
What about when they wasted $220k [1] on rebranding but ended up scrapping it?
[0] - https://www.itnews.com.au/news/asd-reveals-how-the-bureau-of... [1] - https://www.abc.net.au/news/2022-10-19/bureau-meteorology-re...
The Bureau of Meteorology has form when it comes to computer security incidents[0].
[0] https://www.abc.net.au/news/2018-03-08/bureau-of-meteorology...
Employees on the inside using the data cruncher to mine bitcoin isn't a HTTPS issue - given these chancers were caught it appears the BOFH functioned uncorrupted and reported their illicit cycles.
I find intriguing their explanation about how to use their FTP service and why it’s not possible to access it with a modern browser.
They make an (easily made) mistake on that page: the encrypted version of FTP is not SFTP, but FTPS. SFTP is an entirely different protocol based on SSH.
HTTP to HTTPS is FTP to FTPS.
"cp" to "scp" is FTP to SFTP, i.e "secure" prefix.
Back in 2013-15 I was fortunate enough to know some people at BoM, specifically done IT people.
Their off hand comment around why BOM didn't have https was due to the amount of overhead and infrastructure changes needed to make that https change.
Fast forward to 2018ish they recently created a new API, and a new website. Https://Weather.bom.gov.au with https enabled! (which I now have integrated into a raspberry pi and an eink display for my morning weather).
For whatever (archaic) reason the new weather webui is now defunct but the api still exists, uses https, and as far as I know supports their mobile applications.
All it would take is for some ISPs here to mitm the traffic with ads / junk and maybe they would change it. The upside to this story is that it is currently a great site to visit for captive portal detection.
The reality is much worse.
For over a decade the BOM themselves ran ads on their website:
https://www.governmentnews.com.au/online-ads-now-permanent-f...
https://web.archive.org/web/20230605202001/http://www.bom.go...
They appear to have stopped the practice in June 2023:
https://web.archive.org/web/20230515000000*/http://www.bom.g...
I am very interested in this api. How do I get at it?
AFAIK the only way to programatically obtain bom data is the awful ftp endpoint.
HTTPS is still a pain in the ass, even in 2024.
If letsencrypt would offer wildcard certificates with their url based authentification as they offer for non-wildcard certificates, it would be ok.
But having to tinker with the DNS infrastructure for each project which wants to use domain wide HTTPS is so much hassle.
It depends on your provider though. I can tell from experience that with OVH and their API, it's been easy to set up the automatic renewal via DNS verification. Apparently, the official client has support for the DNS API of 159 providers: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
What's the challenge for you? Does your DNS server not have an API, is it internal politics and process, or something else?
I personally know someone working at BOM. His endless ranting about how the place is run is hilarious.
Well, credit where it’s due: given the number of disparaging statements about cryptography made by Australian politicians, it seems they actually practice what they preach.
The fact that this is on a .gov.au makes it a bit more attractive to targeted MITM attacks, I would think, given a government site's position of authority.
I remember seeing this yesterday when visiting the site. Wasn't sure if it'd always been like this, or if this was recent.
Probably your browser trying HTTPS-first
Controverse opinion: Why do I need https when looking for the weather forcast. Https is blindly thrown on everything. If the data is public and no login or personal/sensitive data is involved why do I need https?
> If the data is public and no login or personal/sensitive data is involved why do I need https?
Do you care about if the data actually comes from your weather forecasting service and was not tampered with by a third party? Then you need https as well.
A different example: a podcasts website I've seen was served over http, and someone argued the same (data is public, no login). The page contained an IBAN for donations. That would be a valuable target to replace as an MitM.
No need for encryted data transfer here. Proven authority would be enough
I am not familiar with the term "proven authority", but I assume what you mean is that it is enough to prove the authenticity of the data in this case. Yes, a cryptographic signature of the pages content would be enough here, but then you would still have some kind of PKI and cryptography involved and in the end https is the best supported approach for that.
Defaulting to full https also has the advantage that you don't have to re-evaulate if you should be using https in the future, when you make some changes to the functionality or content of a website.
HTTPS is the method by which authority is proven.
What happens when a site you really do need and have HTTPS on (your bank, say) has a cross-site request forgery vulnerability, and someone plops an exploit script on that non-HTTPS site you visit? With crafty enough hackers, your savings just got wired to a foreign country.
The entire internet needs to be HTTPS to protect against stupid security decisions made long ago that we can’t undo now in the name of backwards compatibility.
> The entire internet needs to be HTTPS to protect against stupid security decisions made long ago that we can’t undo now in the name of backwards compatibility.
We can undo it now, the powers that b just refuse to abandon the altar of backwards compatibility, damn the cost. (Even though the addition of a straightforward document browser with no JS and no dynamic content would seriously improve most of the internet....)
Your LE friendly ISP can insert a JS browser exploit and gain access to your device. Is that a valid reason?
Meh, that's all such a theater. LE can ask anyone to insert an "JS exploit", especially into the government meteo service. It will then be nicely safely and securely served to you via HTTPS :) Of course, enabled specially for your IP address so that noone else gets any clue.
edit: and everyone is voluntarily mitming via cloudflare anyway..it's all such a farce
seeing verdana gives me such good memories back. my fav font when i started learning webdev
So? it also doesn't scramble voice calls when you call their offices, I would think.
Welcome to Australia. This has been an issue for years, and I don't know why.
The rationale, such as it is, is that BoM serves current and historic weather parameters for various parts of Australia and hasn't seen any need to ensure that be delivered in a secure manner to individual web users.
There might be some hypothetical scenario from faking weather data and injecting it to fool the casual user but that seemingly hasn't come up in practice and so they don't fuss about it.
On the flip side, for those interested in RAW downloads from MODIS and other sats relevant to the weather, to ground station raw data transfers, to modelled predictions under various assumptions for commercial | military | government use etc ... BOM has secure login and bulk data transfer protocols, and has had those for at least 30+ years (morphing with time).
I think the more likely scenario for a MITM attack is to insert malicious scripts or links into the web page, not to fake weather data.
NZ feels behind Australia in most ways. But in this area we're ahead. It's slightly insane to me a country as wealthy as yours still has this sort of thing going on.
Assuming this has come from Tall Paul Tech’s latest video?
DJ Tall Paul is a tech youtuber!?! fuck yeah
Honestly, I think every third-party involved in transporting http traffic should do the public a service and replace the transmitted data with some cat images or whatever else. Every unencrypted connection should be messed with so that there cannot be accidental unencrypted transmission of sensitive data, just in case.
It least someone had decided to have common sense.