Welcome to the Cumulus Support forum.

Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024

Cumulus MX V4 beta test release 4.0.0 (build 4017) - 17 March 2024

Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)

Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki

Heads-up.. US Gov. websites to require HTTPS by end of 2016

Discussion of Ken True's web site templates

Moderator: saratogaWX

Post Reply
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Heads-up.. US Gov. websites to require HTTPS by end of 2016

Post by saratogaWX »

As this article says:
Following the lead of many major Web services, the White House on Monday announced that it would move all of the federal government’s public sites and services to HTTPS-only.

Tony Scott, the federal CIO, has issued a memorandum to all federal agencies and departments instructing them to move all of their publicly accessible Web sites and services to HTTPS-only by the end of 2016.
The memorandum is available here.

What it means for weather enthusiasts running software that access US Government resources (NWS, USGS, etc.) is:
  • [li]All of the PHP scripts using http:// would have to change to use https:// and that is non-trivial. The scripts using FetchUrlWithoutHanging() routines would have to be updated with the functionality replaced (and I'll do that for my scripts). [/li]
    [li]Native weather software (Weather-Display, etc) would have to change to support https:// for data from US Government sites if they use them. [/li]
Fortunately, with any US Government program the timescale is fairly long (1.5 years) for compliance with the directive to use HTTPS to be fully implemented and HTTP 'cut off' (or more likely, a 301-Moved redirect to the HTTPS content) implemented, so we have some time to prepare.

This is just the first 'heads-up' that the change is coming, and the coding is more complex to do -- likely many of my scripts will switch to use cURL or file_get_contents() with a context as the way of adapting to use native PHP instead of the low-level fconnect()/fget() with metrics for diagnostics timings.

More as I find out the details for specific site's plans.

Best regards,
Ken
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Heads-up.. US Gov. websites to require HTTPS by end of 2

Post by saratogaWX »

Just did a bit of testing with the key sites:

www.weather.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)

forecast.weather.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)

dualicons-forecast.weather.gov has not enabled HTTPS ..
just times out.

earthquake.usgs.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)

So they aren't quite ready for testing.. just have to wait for announcements.

It's my understanding that the NWS is deprecating all FTP access to data in favor of HTTP (and now maybe HTTPS).

I found the site https://https.cio.gov/ to be quite helpful in explaining in more detail what is mandated and caveats for implementation on Federal websites.

Best regards,
Ken
Post Reply