Trixology
WeatherCat => WeatherCat Web Templates => Topic started by: saratogaWX on June 10, 2015, 06:40:10 PM
-
As this article (https://threatpost.com/federal-agencies-to-move-to-https-only-connections/113221) says:
Following the lead of many major Web services, the White House on Monday announced that it would move all of the federal government?s public sites and services to HTTPS-only.
Tony Scott, the federal CIO, has issued a memorandum to all federal agencies and departments instructing them to move all of their publicly accessible Web sites and services to HTTPS-only by the end of 2016.
The memorandum is available here (https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf).
What it means for weather enthusiasts running software that access US Government resources (NWS, USGS, etc.) is:
- All of the PHP scripts using http:// would have to change to use https:// and that is non-trivial. The scripts using FetchUrlWithoutHanging() routines would have to be updated with the functionality replaced (and I'll do that for my scripts).
- Native weather software (Weather-Display, etc) would have to change to support https:// for data from US Government sites if they use them.
Fortunately, with any US Government program the timescale is fairly long (1.5 years) for compliance with the directive to use HTTPS to be fully implemented and HTTP 'cut off' (or more likely, a 301-Moved redirect to the HTTPS content) implemented, so we have some time to prepare.
This is just the first 'heads-up' that the change is coming, and the coding is more complex to do -- likely many of my scripts will switch to use cURL or file_get_contents() with a context as the way of adapting to use native PHP instead of the low-level fconnect()/fget() with metrics for diagnostics timings.
More as I find out the details for specific site's plans.
Best regards,
Ken
-
Hi Ken
Thanks for the heads up on this
The more we know now about it the better
This will give everyone time to get ready for of this
cheers
[cheers1]
-
Just did a bit of testing with the key sites:
www.weather.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)
forecast.weather.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)
dualicons-forecast.weather.gov has not enabled HTTPS ..
just times out.
earthquake.usgs.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)
So they aren't quite ready for testing.. just have to wait for announcements.
It's my understanding that the NWS is deprecating all FTP access to data in favor of HTTP (and now maybe HTTPS).
I found the site https://https.cio.gov/ to be quite helpful in explaining in more detail what is mandated and caveats for implementation on Federal websites.
Best regards,
Ken