Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Australian Government’s Bureau of Meteorology Can’t Do HTTPS (bom.gov.au)
39 points by taspeotis on Dec 2, 2020 | hide | past | favorite | 65 comments



> “The Bureau of Meteorology (BoM) has been undertaking what it has called a comprehensive rebuild of its IT systems and related business processes and applications, focused on addressing security and resilience risks. ... The component operations contract is expected to start December this year and run through June 2022.” [1]

Now that it’s December, time to get moving BoM!

[1] https://www.zdnet.com/article/bom-seeks-robust-cloud-and-wan...


They seem to need some help around IT, the new-ish Android BOM app is basically a list of people saying 'we prefer the old one'

Someone approved a shiny new design but functionality is more inefficient now.


The current app is much better than the previous one (at least radar is readable), but much worse compared to 3rd party old apps.


I'd say I agree. Although, the radar is much better in the new version.


Wow, 1 year "IT Project" to get a single certificate???

Wait, the do have a correct cert on port 443... some fool play is happening!!!


If you read the article, or even the original comment, in full, you'd know that the scope of this IT project is much more than a single certificate.


Yes, but you don't need an "IT project" to just disable the redirect.


I just recently got my company's moneymaker app into HTTPS, and it was no small feat. So much totally screwed up browser automation (read: DOM/JS interaction) and ad-hoc URL construction kept disrupting the HTTPS experience by attempting to redirect or fetch HTTP.

I did have the certificate and reverse proxy ready to go a full 18 months before I could finish the app migration. Someone previous developer was REALLY against relative URLs. "http://".$host.$urlPath everywhere.


...there is still a tiny bit of cleartext access, because some clients have URLs embedded in spreadsheets and support would rather not hear from all of them at once.


Is calling out a random government agency for not meeting our standards really the best use of the HN front page?


Isn't this what the voting is for? If it weren't interesting for the front page, it wouldn't be there, no?


I think it's kind of mean for us to find this story interesting. If I merely found it uninteresting, I wouldn't have commented.


It's not calling them out, it's meant to be humorous but unfortunately the joke seems to be lost on everyone.


Better than "can't do HTTP" which seems to get more common every year. I prefer this kind of info site being HTTP-only to being HTTPS-only. HTTPS causes occasional problems with certificates and some people can't use HTTPS.


> some people can't use HTTPS

This is surprising, can you go into more depth?


I guess if you don’t have direct internet access then sniffing wifi traffic at the local coffee shop might be the only way to get weather updates.


Not sure if this is what they had in mind, but certain very old devices won't cope with modern HTTPS. Old smartphones, for instance.

This may be a real concern in less wealthy parts of the world, but I doubt it applies to Australia.


One example would be running a client on hardware not capable of performing encryption fast enough. I think would be particularly relevant to web browsers on Amiga.


To be honest, the decryption burden is fairly small compared to the layout burden. I don't think this is much of an excuse.


But that brings us into a completely different discussion: if you require JavaScript in your browser


My Chrome settings are to disable by default, and I only reenable it selectively. Unfortunately, yes, it is sometimes necessary.


There are extremists out there who submit the URL they would like to view, then receive it on e-mail later on in a document like format they are comfortable using and that does not track you.


> it is sometimes necessary.

[Citation needed]


In general? Employer-mandated web apps.

In my personal case? OpenStreetMap/Google maps.


There's enough change in the ecosystem that outdated OSes (that people still use) often can't handle the current recommendations for which TLS versions to allow, don't have root certificates for newer certificates, ..., so how to set that up is an interesting balance if you need to reach as many people as possible (which for government info sites is probably the case)


* in China TLS 1.3 is blocked by the state firewall

* based on past reading of discussions here, in some states using encryption may be illegal, not sure if this is really the case, this may eventually come to the West as well, see Australia and U.S. officials attacks on encryption

* old computers/OS/browser that the user can't update


Let the past die. Kill it, if you have to.


You are unbalanced, bested by a girl who had never held a light saber, YOU FAILED!


They can't do mobile friendly either, which is a pain when you're trying to determine how quickly a storm is moving in on your phone.


https://weather.bom.gov.au/onboarding - funnily enough this is both easier to read on mobile AND supports HTTPS.


Thanks for the link - do they actually promote that anywhere as it's perfect on a mobile.

The rain radar map seamlessly combining radars is awesome.


Thanks! I can't even remember how I found it originally - however I found it again by searching "bom mobile site". There's no mention of it on their main site at all.


What's remarkable here is that they do serve a valid certificate: https://www.ssllabs.com/ssltest/analyze.html?d=www.bom.gov.a...

That's a different situation to that of the Italian Health Ministry mentioned in another comment.


so what are we afraid of here? That a MiM attack would give us the wrong weather data?


https://www.abc.net.au/news/2016-10-12/bureau-of-meteorology...

"Bureau of Meteorology hacked by foreign spies in massive malware attack, report shows"

Clearly someone has an interest in targeting it - who knows if HTTPS would actually mitigate the risks though. Doubt it would hurt and would not be that difficult. It shows the lack of maintaince in BOM that leads to events like this.


Which again might be a reason why their upgrade from a old (hackable) OpenSSL to a newer version with limited budget might take a longer while. And the short term fix: Let us do only HTTP.

Just an educated guess ;)


Well, it might be indicative of wider issues with keeping their systems / data up to date, or the wider govt IT infrastructures that support them. If they are getting this wrong, what other problems are there, in the Met Bureau or across Govt IT.

I'm reminded of the COVID reporting fiasco we had in the UK in October [0] where Public Health England - an agency of the NHS - lost COVID data because they were using .xls files to log data rather than .xlsx - the former was silently truncating critical datasets because of a hard row limit. The .xlsx format first appeared in 2007, so the NHS have only had 13 years to get their act together.

[0] https://www.theregister.com/2020/10/05/excel_england_coronav...


More realistically: inject shady/spammy ads, or malware.


Also cause DDoS on third-party websites, as seen here:

https://arstechnica.com/information-technology/2015/04/ddos-...


Maybe, given their thirst for domestic surveillance, the govt demands an mitm feed and they can't provide it as easily.


I wish people would stop downplaying security, as if it took attention from an individual at a malicious agency to screw up your digital life.


I was informed in the late noughties, first hand by the author, that their entire climate model covering all Australian territories and airspace to a high altitude ran once every few seconds as a single SQL stored procedure.


A few years ago if you typed bom.gov.au in your address bar it wouldn't load. You'd have to type www.bom.gov.au .

It took them many years to add the redirect.

It's long over due for an overhaul. I'm glad to hear it has already started.


https://reg.bom.gov.au/cgi-bin/reg/reg_login.cgi

works fine here.


Another one: the Italian Health Ministry doesn’t support https.

http://www.salute.gov.it/


Why is there /akamai/ in the first redirection target URL? Isn't Akamai, the company, already infamous for blocking deployment of TLS?


Good question. No idea why it was downvoted. They seem to be behind Akamai.

Their current https server at https://www.bom.gov.au returns AkamaiGHost in the Server Header:

  HTTP/1.1 307 Temporary Redirect
  Server: AkamaiGHost
  Content-Length: 0
  Location: http://www.bom.gov.au/akamai/https-redirect.html
  Date: Wed, 02 Dec 2020 12:23:22 GMT
  Connection: keep-alive
  Server-Timing: cdn-cache; desc=HIT
  Server-Timing: edge; dur=1
Also their IP address (for me 104.108.145.63) belongs to Akamai:

  NetRange:       104.64.0.0 - 104.127.255.255
  CIDR:           104.64.0.0/10
  NetName:        AKAMAI
  NetHandle:      NET-104-64-0-0-1
  Parent:         NET104 (NET-104-0-0-0-0)
  NetType:        Direct Allocation
  OriginAS:       
  Organization:   Akamai Technologies, Inc. (AKAMAI)


Is encryption banned in Australia, or is it non-encrypted so they don't need to add backdoors?


They probably don’t have the budget for a certificate!


More likely that the machine running the HTTP server doesn't support TLS 1.2. The landing page would be on some kind of proxy that isn't able to access the database.


The connection to https://www.bom.gov.au/ is done over TLS1.2 and they DO have a certificate.


But the HTTP and the HTTPS page are not served by the same server: https://news.ycombinator.com/item?id=25275816


At first I clicked and thought, so what? Then I got it and had a good chuckle.

Edit: looks like most readers don't get it either...


I didn't get it what am I missing?


The OP link is over https, which appears to work fine but only for redirecting you back to http


Check the output from curl. HTTPS is working but is merely redirecting to a page saying HTTPS is not working.

    $ curl -v https://www.bom.gov.au/
    *   Trying 104.78.177.116...
    * TCP_NODELAY set
    * Connected to www.bom.gov.au (104.78.177.116) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: C=AU; ST=VIC; L=Docklands; O=Bureau of Meteorology; CN=*.bom.gov.au
    *  start date: Jun 10 00:00:00 2020 GMT
    *  expire date: Sep  9 12:00:00 2021 GMT
    *  subjectAltName: host "www.bom.gov.au" matched cert's "*.bom.gov.au"
    *  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: www.bom.gov.au
    > User-Agent: curl/7.58.0
    > Accept: */*
    > 
    < HTTP/1.1 307 Temporary Redirect
    < Server: AkamaiGHost
    < Content-Length: 0
    < Location: http://www.bom.gov.au/akamai/https-redirect.html
    < Date: Wed, 02 Dec 2020 13:03:03 GMT
    < Connection: keep-alive
    < Server-Timing: cdn-cache; desc=HIT
    < Server-Timing: edge; dur=1
    < 
    * Connection #0 to host www.bom.gov.au left intact


Ha that's rediculous. Thanks for letting me know.


It probably takes as much time to have one of their engineers implement that notice page as it does to enable https...


Unlikely. They probably run on something too old to support TLS 1.2. Since modern browsers generally refuse to use TLS 1.0/1.1 unless an option is set manually in the configuration to do so, it would be an even worse experience for their users if they switched to https.


Why wouldn't you at least just reverse proxy the popular pages or hell, put them on S3 or something? The ones checked by the general public, at least, could be statically generated and stored in s3 with a simple schedule!


That does not seem to be the issue as others have commented.

In large organisations technical issues are often not the blocker. Process, approval chain, etc. often are.


Probably an even more mundane reason: they have personnel available to create the redirection and HTTP error page, but not to do the proper migration to HTTPS.


This is incorrect. They already have an HTTPS server that supports TLS 1.2, it's just being used to redirect to their HTTP server.

This is verifiable by typing `curl -v https://www.bom.gov.au/` in your terminal.


It's not the same server.

A "curl --head https://www.bom.gov.au/" answers with "Server: AkamaiGHost", while "curl --head http://www.bom.gov.au/" answers with "Server: Apache".


Well, I’m on mobile so I can’t check but does the website run JavaScript? Third parties could inject malicious code with little difficulty




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: