Author Topic: Heads-up.. US Government websites to require HTTPS by end of 2016...  (Read 2263 times)

saratogaWX

  • Strong Breeze
  • ***
  • Posts: 156
  • Weather website programming enthusiast
    • Saratoga-Weather.org
  • Station Details: Davis VP1 +, iMAC 21, OSX 10.6.8
As this article says:
Quote
Following the lead of many major Web services, the White House on Monday announced that it would move all of the federal government?s public sites and services to HTTPS-only.

Tony Scott, the federal CIO, has issued a memorandum to all federal agencies and departments instructing them to move all of their publicly accessible Web sites and services to HTTPS-only by the end of 2016.

The memorandum is available here .

What it means for weather enthusiasts running software that access US Government resources (NWS, USGS, etc.) is:
  • All of the PHP scripts using http:// would have to change to use https:// and that is non-trivial. The scripts using FetchUrlWithoutHanging() routines would have to be updated with the functionality replaced (and I'll do that for my scripts).
  • Native weather software (Weather-Display, etc) would have to change to support https:// for data from US Government sites if they use them.

Fortunately, with any US Government program the timescale is fairly long (1.5 years) for compliance with the directive to use HTTPS to be fully implemented and HTTP 'cut off' (or more likely, a 301-Moved redirect to the HTTPS content) implemented, so we have some time to prepare.

This is just the first 'heads-up' that the change is coming, and the coding is more complex to do -- likely many of my scripts will switch to use cURL or file_get_contents() with a context as the way of adapting to use native PHP instead of the low-level fconnect()/fget() with metrics for diagnostics timings.

More as I find out the details for specific site's plans.

Best regards,
Ken
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis Vantage Pro Plus - FARS, Boltek-PCI/NexStorm, GRLevel3, WD, WL, VWS, Cumulus, Meteohub, WeatherSnoop, WeatherCat
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP

Randall75

  • Storm
  • *****
  • Posts: 1332
  • CWOP-CW6734 WeatherUnderground-KOHNEWAR6
    • CW6734
    • KOHNEWAR6
    • Randy's Weather On The Hill
  • Station Details: Davis Vantage Pro 2 Plus.iMac i5 OS High Sierra 10.13.6 8GB Ram, WeatherCat 3,Logitech 9000 Pro Web Cam
Re: Heads-up.. US Government websites to require HTTPS by end of 2016...
« Reply #1 on: June 10, 2015, 07:42:11 PM »
Hi Ken
 Thanks for the heads up on this
The more we know now about it the better
This will give everyone time to get ready for of this


cheers


 [cheers1]

saratogaWX

  • Strong Breeze
  • ***
  • Posts: 156
  • Weather website programming enthusiast
    • Saratoga-Weather.org
  • Station Details: Davis VP1 +, iMAC 21, OSX 10.6.8
Re: Heads-up.. US Government websites to require HTTPS by end of 2016...
« Reply #2 on: June 10, 2015, 08:25:49 PM »
Just did a bit of testing with the key sites:

www.weather.gov uses an invalid security certificate.
The certificate is only valid for the following names:
 *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
 (Error code: ssl_error_bad_cert_domain)

forecast.weather.gov uses an invalid security certificate.
The certificate is only valid for the following names:
 *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
 (Error code: ssl_error_bad_cert_domain)

dualicons-forecast.weather.gov has not enabled HTTPS ..
just times out.

earthquake.usgs.gov uses an invalid security certificate.
The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net
(Error code: ssl_error_bad_cert_domain)

So they aren't quite ready for testing.. just have to wait for announcements.

It's my understanding that the NWS is deprecating all FTP access to data in favor of HTTP (and now maybe HTTPS).

I found the site https://https.cio.gov/ to be quite helpful in explaining in more detail what is mandated and caveats for implementation on Federal websites.

Best regards,
Ken
Ken True/Saratoga, CA, USA main site: saratoga-weather.org
Davis Vantage Pro Plus - FARS, Boltek-PCI/NexStorm, GRLevel3, WD, WL, VWS, Cumulus, Meteohub, WeatherSnoop, WeatherCat
Free weather PHP scripts/website templates - update notifications on Twitter saratogaWXPHP