[nmglug] Let's Encrypt

Anthony J. Bentley anthony at anjbe.name
Tue Oct 4 22:20:27 PDT 2016


Hi Mars,

J. Marsden DeLapp writes:
> One little twist is that I have weather stickers (images) on my home
> page that come from http://weathersticker.wunderground.com and
> consequently that causes a warning that "parts of the page are not
> secure". 

This is called "mixed content." Any HTTP resources, even on an HTTPS
page, can be sniffed by passive attackers and modified by active
attackers. All in all, a good thing to avoid in general.

My understanding is that modern browsers block HTTP JavaScript, CSS and
iframes on HTTPS pages, but don't block HTTP images (yet). I would not
be surprised if policies changed in the future to block insecure images
as well.

> I could install a weather station and connect it to my network and HVAC
> system and write a bunch of software to maximize my comfort.
> 
> I could get up from my computer and stick my head out the window to see
> what the weather is like.
> 
> And my last option is to ask for help. Anyone know of a good way to
> show current weather on a https site?

Here's a working one from AOPA, although it's not very pretty:
https://www.aopa.org/airports/KABQ/embed/wx

www.weather.gov used to provide graphical widgets, but they now 404:
http://www.nws.noaa.gov/widgets/fcst_widget_displays.php?id=KABQ

The feds provide several web APIs for weather data; Weather Underground
does too. So you may want to look into a server-side solution.

Or you could complain to Weather Underground to support HTTPS for those
stickers... but they seem to be an old feature that they may not care
about anymore.

-- 
Anthony J. Bentley


More information about the nmglug mailing list