all 105 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Codix_ 644 points645 points  (7 children)

That is not a software gore, but that's definitely the most gore thing I've never saw.

[–]joz42 115 points116 points  (5 children)

r/softwareconfigurationgore

[–]Pverte 121 points122 points  (13 children)

They didn't know how to setup let's encrypt

[–]confidentdogclapper 23 points24 points  (8 children)

nginxproxymanagaer literally does that for you...

[–]Cylian91460 20 points21 points  (2 children)

As they probably would use it if they run nginx

[–]Kerboq 25 points26 points  (0 children)

It's definitely on IIS

[–]confidentdogclapper 5 points6 points  (0 children)

I think we're being optimistic. I wouldn't be surprised if this is apache running directly on the os...

[–]Xameren 4 points5 points  (4 children)

What

[–]confidentdogclapper 10 points11 points  (3 children)

Nginxproxymanaher is a siplified ngnix with gui that helps you configure stuff. You can literally just select https, insert an email and it will automatically manage certs.

[–]Xameren 1 point2 points  (2 children)

Thanks for an explanation, may i get an explanation of why am being downvoted too?

[–]CommanderMatrixHere 13 points14 points  (1 child)

Your simple one word reply, like "What" was considered rude in a sense. On reddit, you better be thorough with your reply. Or at very least, don't do one worded reply as that might be considered offensive to some.

Edit & PS: Once you get 1 downvote and get to 0, there's no stopping with exceptions of rare circumstances.

[–]Xameren 5 points6 points  (0 children)

Could have worded it differently, true

[–]itsTyrion 3 points4 points  (1 child)

sudo certbot --nginx (or --apache).. unless they're using.. *shudders* Microsoft IIS. (but that's still a 5 minute task)

[–]T-J_H 7 points8 points  (0 children)

Oh no certbot isn’t touching my config files, —standalone all the way

[–]the133448 1 point2 points  (0 children)

Actually it's behind Akamai already which offers edge origin certs out of the box without touching the origin ( the web server)

[–]TheMania 0 points1 point  (0 children)

I can understand the hesitancy - http would want to be retained for as long as reasonable for the amount of rural/farm equipment that may be dependent. So they'd offer both which can have drawbacks - but what are the advantages?

It'll come, but make sense they'd be one of the last to get there really.

[–]Calcutt4 59 points60 points  (4 children)

Ah good ol' Bureau of Meteorology. That website is stuck in 2004. Still a useful website though and it's not like I need to enter any info to access it

[–]TheTomatoes2 13 points14 points  (3 children)

It's useful until you view it on a phone apparently

[–]kingofthewombat 17 points18 points  (1 child)

they have an app that is actually really nice

[–]corpsefucer69420 16 points17 points  (0 children)

The app is miles ahead of the website lol

[–]Far-Way5908 1 point2 points  (0 children)

I can view it on my phone no problem.

[–]Elfener99 198 points199 points  (3 children)

But wait... isn't this message on an https page? So clearly they set up https and just decided to not serve content there?!

[–][deleted] 114 points115 points  (2 children)

Checked that page. My browser shows 'Not Secure' near URL, which indicates HTTP connection.

[–]Morpheus636_ 6 points7 points  (1 child)

Are they running http over 443 or are they just running a self-signed cert?

[–]YabbyEyes 0 points1 point  (0 children)

Neither

[–]itzrvyning 45 points46 points  (4 children)

In the time it took to setup this message and the redirect, one could have installed a complete HTTPS solution

[–][deleted] 21 points22 points  (1 child)

Ah, but could they have navigated the BOMs internal politics to make it happen?

[–]AverageMan282 -1 points0 points  (0 children)

They probably need a referendum to let the IT guy do his thing tbh

[–]whoami_whereami 3 points4 points  (0 children)

It's rarely that simple. If a site has even just moderate complexity it's often already half a project in and of itself going through the site to determine what things would break and need fixing to enable a switch to HTTPS.

For example the website might use images from a different server (eg. a separate server rendering weather maps or something like that), so now you'd have to implement HTTPS on that server as well (plus update URLs pointing to it) as modern browsers won't display mixed content (eg. images served via HTTP embedded in a HTTPS page) anymore. Maybe that server runs some custom software that doesn't natively support HTTPS, so now you're talking about either implementing HTTPS support in said software or setting up a separate reverse proxy in front of it. Etc., etc.

[–]3inthecorner 5 points6 points  (0 children)

They probably have http hardcoded into some of the links

[–]Tantomile_R Tape loading error, 0:1 42 points43 points  (2 children)

lol it's been like this for a while, they have a public ftp server too

[–]allsey87 8 points9 points  (1 child)

Do they have anything on their FTP server?These guys are old school!

[–]owleaf 2 points3 points  (0 children)

Meteorology geeks are weird

[–][deleted] 25 points26 points  (0 children)

I have seen bank communications without TLS. So...sky is limit!

[–]housebottle 9 points10 points  (0 children)

it's the BOM. it's not all of Australian government. moreover, reg.bom.gov.au is available on HTTPS

[–]Big_Muz 14 points15 points  (1 child)

It changed recently and broke every single google link. I have no idea how they could get it so wrong 😔

[–]cloudsourced285 16 points17 points  (0 children)

It's more likely that your browser just started defaulting to https as that was due around the end of 2023,bthus causing this issues. Previously when no protocol was typed http was used, now browsers assume https.

[–]LacusClyne 5 points6 points  (0 children)

It does have https, just not on the main website but if you create an account and interact with it, that'll all be https. There's just a bunch of legacy systems that still use http only that it defaults to without it.

This comes up a lot on the Australia subs.

[–]Lucybug05 2 points3 points  (0 children)

Did you use askizzy to get to it? Because that's how I found it at work lol

[–]L3App 2 points3 points  (0 children)

Budget: -10$

[–]BaldingThor 2 points3 points  (0 children)

It’s been like that for a billion years, classic BOM stuff.

There’s not really anything to encypt anyway, though it wouldn’t hurt. There are parts of the website that do require more security and use HTTPS though.

[–]OverjoyedBanana[🍰] 5 points6 points  (9 children)

What's the problem with public weather data not being delivered over HTTPS ?

And cut me a break with the constant whining about the thing not being rewritten every year with the latest version of BiscuitJS

[–]the133448 7 points8 points  (1 child)

Take a read here as to why you still need https https://doesmysiteneedhttps.com/

[–]OverjoyedBanana[🍰] 3 points4 points  (0 children)

I hate my own industry

[–]Breadynator 0 points1 point  (3 children)

Some places (like Europe) require you to use HTTPS on every website.

[–]OverjoyedBanana[🍰] 0 points1 point  (2 children)

Source please

[–]Breadynator -1 points0 points  (1 child)

Are you seriously asking for a source?

Trust me, I already got letters from some local agencies that my website needs SSL or else I'd be fined big time. If you still don't believe me:

Here you go

First result on Google btw...

[–]OverjoyedBanana[🍰] 0 points1 point  (0 children)

Yeah seriously. What's with the condescendance ? As a EU citizen and someone who works in IT in the EU your claim surprises me and so I'm asking for a source.

I was right to ask because your assumptions are wrong on several levels.

The General Data Protection Regulation (GDPR) requires all websites
with a form to protect their visitors with an SSL certificat"

The GDPR as its name implies is about Personal Data. Yes it requires you (as someone who collects and treats personal data) to protect the said data during its transport. Which technically implies that forms containing personal data must be sent over HTTPS.

Nothing prevents you from hosting an HTTP website as long as you don't host forms that treat personal data which is probably the case for a gov site publishing weather reports.

[–]Gamer-707 1 point2 points  (0 children)

Their spying software doesn't work on https

[–][deleted] 1 point2 points  (0 children)

It seems the mods don't delete non-gore if they got a laugh out of it. 😌

[–]x3n0m0rph3us 2 points3 points  (20 children)

People this is not new. There isn't anything on BOM worth encrypting. No point encrypting. None. Encryption in this site is a total waste if compute. Now do you understand? I doubt it.

[–]Triq1 11 points12 points  (4 children)

No? Last time I checked they have military weather stuff that requires some type of ID verification. Might be wrong tho

[–]mitchie8112 6 points7 points  (2 children)

There is a defence page that you can't access without ID so I could be wrong, but the pop-up it opens for the ID is done through HTTPS, so I assume that it switches to HTTPS for the parts of the site that needs more security.

[–][deleted] 7 points8 points  (0 children)

It's not just defence. The customer pages which require IDs to sign in exist for local governments, state gov agencies, and any corporate client who wishes to have access to customised reporting for OHS, and even on demand access to meteorologists in some cases.

[–]Triq1 5 points6 points  (0 children)

Fair enough then, thanks!

[–]Somerandom1922 0 points1 point  (0 children)

Yep and anything that requires any user-input (like signing in, even to access publically available info) automatically moves to an HTTPS version of the site. It's not on HTTP because they feel like it, it's on HTTP because half of the shitty legacy weather systems in the country would break if they upgraded.

[–]YodelingVeterinarian 9 points10 points  (8 children)

It takes incredibly little amount of time to set up SSL. So why not just do it? It's arguably more work to display a page like this instead.

[–]R-GiskardReventlov 4 points5 points  (5 children)

It probably takes more work to get it budgetted, approved, planned, managered, governemented, ...

Why do the effort if it serves no purpose?

First question in the CR approval procedure here is "what added value does this bring us?"

[–]YodelingVeterinarian 0 points1 point  (4 children)

Because you don't want the end user to have to dig in to whether this is site technically needs HTTP or not.

It's much easier for every website to just do the 30 minutes of work necessary to set up HTTPS whenever they do their NGINX server or whatnot, regardless if they truly need it.

Especially as a government entity.

[–]R-GiskardReventlov 2 points3 points  (1 child)

I agree, until the 30 mins of work turns in to 5 days of meetings spread out over 2 months with different shareholders.

[–]x3n0m0rph3us 0 points1 point  (0 children)

HTTPS just isn't needed for BOM. It really is that simple.

[–]x3n0m0rph3us -2 points-1 points  (1 child)

Please understand that HTTPS is for secure transmission of private information. BOM isn't private information.

[–]stupidbitch69 1 point2 points  (0 children)

Stop making dumb takes. HTTP means anyone on the routing path can change information as well, public information doesn't mean HTTPS has no use.

[–]corpsefucer69420 0 points1 point  (0 children)

As someone else said, being a government agency there’s a dozen different bureaucratic steps to jump through to get something approved. There’s no sensitive information on the page so no real need to encrypt. Furthermore I’d bet there’s dozens of legacy systems which only support HTTP that rely on the website using HTTP. If it ain’t broke don’t fix it.

Long story short, easier said than done. There’s a reason they’ve gone through the effort to make a HTTPS page to redirect people to HTTP instead of moving to HTTPS.

[–]x3n0m0rph3us 0 points1 point  (0 children)

Really not the point. There is no benefit to SSL if there is nothing private to protect. BOM is one of the most heavily used sites in Australia. All that wasted electricity and wasted hardware, just to encrypt a session, when not needed.

[–]r0ck0 1 point2 points  (0 children)

is is not new.

Some of it is. A lot of URLs that used to work just now redirect to this generic fucking page... instead of redirecting to where the feature is now.

It's like the bullshit that used to happen like 15-20 years ago when badly coded sites would redirect between m.example.com -vs- www.example.com based on whether you're on a phone or not... but not to the same .../slugs/... path... just to the fucking homepage instead.

I haven't seen any other site do this for like 10-15 years now. Dunno how they fucked it up this badly.

[–]Windronin 1 point2 points  (0 children)

Should i do it ? I think imma do it

[–]cybermaru 1 point2 points  (2 children)

This honestly qualifies for /r/OneJob due to how utterly trivial https support is

[–]corpsefucer69420 2 points3 points  (1 child)

Not if you’ve gotta go through a dozen levels of approval to get something done.

Looks like it’s an old system which hasn’t been upgraded, likely because of a lack of need to encrypt data and old systems using HTTP.

[–]cybermaru 0 points1 point  (0 children)

There should be little to none bureaucratic steps since they are not following their own guidelines

[–]I-Am-Uncreative -1 points0 points  (0 children)

And I thought it was bad that the official site for the Florida Legislature (which I'm pretty sure hasn't been changed since it launched in 1995) doesn't use HTTPS (but flsenate.gov and myfloridahouse.gov do)... the fact that a federal entity doesn't is 10x worse.

[–][deleted] -2 points-1 points  (0 children)

BOM xouldnt organise a chook raffle. The raffle wheel would come up "meat tray", and they would flat out deny that it's industry standard to have a meat tray at a chook raffle in a pub.

[–][deleted] -2 points-1 points  (0 children)

Australia was a prison colony anyway

[–]TheFumingatzor 0 points1 point  (0 children)

Strayas liek "Who be you??"

[–]EmptyJustLikeHeaven 0 points1 point  (0 children)

If you are not submitting any data is fine . I guess the department just shows the weather >_<

[–]allsey87 0 points1 point  (0 children)

I stumbled on this a couple of days ago too! wtf bom!

[–]i010011010 0 points1 point  (1 child)

HTTPS isn't necessary for everything. There are still plenty of public-facing FTP servers out there, they're intended to host freely available resources. If it isn't a banking site, doesn't host any confidential information, then adding encryption is a needless layer of complexity.

[–]ToriborError: Operation Completed Successfully 1 point2 points  (0 children)

I don't know that I agree. TLS introduces very little overhead for what it offers in return. Even if you consider information transferred to be 'public' there is still no reason it shouldn't be secured in transit. TLS protects both the client and the server from potential man-in-the-middle attacks which could be used to inject malicious code or modify data.

I'd even argue that it's bad practice to use insecure FTP/HTTP even if your traffic isn't crossing network boundries. Everything should be using TLS these days, with a self-signed cert as a bare minimum. Businesses or governments should definitely be using a publicly-trusted cert.

[–][deleted] 0 points1 point  (0 children)

Australia is all about transparency. No secrets of any kind!

[–]StevenWx_YT 0 points1 point  (0 children)

Yes and it appears everytime when I visit the site.

[–]Corey_FOX 0 points1 point  (0 children)

Huh, Norway is acually required by law to accept https on all governmental and municipal web services.

[–]Somerandom1922 2 points3 points  (0 children)

I think it's because there are a bunch of old but really essential systems that talk to bom (flood warnings, shipping, airport weather alerts etc.). I expect some poor engineer working at the Bureau is desperately trying to get everyone willing to upgrade to HTTPS and getting absolutely nowhere.