It was a punchline, a source of memes and, occasionally, even an ensign for those pathologically opposed to big government tech-spends.
For nearly 30 years, Australia’s national, online weather website has seen the sunburnt country through thousands of droughts and flooding rains. But there was a particularly persistent dark cloud over the portal that the bureau boffins haven't been able to shake off until recently.
In all those years, up until late last month when the agency unveiled its long-awaited overhaul of the website as part of a much wider technology modernisation schedule, it has never complied with HTTPS standards.
For at least the last 10 of those, HTTPS has been fundamental to ensuring the safety and privacy of the modern internet around the world.
The little 's' in the https prepended to URLs stands for Secure Sockets Layer or SSL for short. It has since been superseded by TLS (Transport Layer Security), but the credentials they use are still widely referred to as SSL certificates.
HTTPS encrypts the trillions upon trillions of private data transfers that web users make every day, thwarting anyone intercepting the information in so-called “man-in-the-middle attacks”.
It’s hard for attackers to unscramble the transfers back into the sensitive information that they might carry like credit card details, personally identifiable information and other sensitive matter.
However, the bureau says it persistently had to put the needs of what it describes as “legacy applications” ahead of those security concerns.
“The bureau website does not capture or share personal information so prioritising the work has until now been a low priority (sic),” a spokesperson for the bureau told iTnews.
However, as of this year, the bureau says “most of the applications we had concerns with have been replaced or updated”.
It has swapped them out as part of as massive program of technology upgrades and overhauls it collectively labels “ROBUST”.
“There is also recently introduced technology that has allowed us to add HTTPS to parts of the legacy website without needing to completely rebuild it on new architecture,” the spokesperson added.
Web search engines and browsers didn't mandate the use of HTTPS circa 1996 when the nation's leading meteorological authority first started dipping its toe into the internet, a bureau spokesperson said.
Arguably, that rationale lost its potency long ago. Washington made HTTPS connections mandatory for all US federal government websites in June 2015 and gave all its agencies until the end of 2016 to get it done.
From the beginning of 2018, Google began marking non-https sites as “not secure”. Modern web browsers discourage users from connecting to them at all.
It’s not clear precisely when, if ever, Australia’s federal government officially started following the US’ government example; HTTPS didn’t even rate a specific mention (except perhaps a few footnotes) in advice the Australian Signals Directorate’s provided in its government security manual, The Commonwealth Cyber Security Posture in 2023.
What is known is that, by early 2022, non-https websites and web services across the rest of the Commonwealth’s online footprint were largely extinct.
Paul Baka, web security expert and managing director of Sydney-based SSL Trust, gave iTnews his interpretation of the bureau’s terse explanation for the lengthy delay.
“The BoM is a system with many different clients connecting to it and they want to keep it compatible with the widest possible range of users," Baka said.
“They are a massive data provider, feeding thousands of external, high-value, and often automated clients, including shipping, airlines, and agricultural systems.
"Many of these critical legacy systems may have been built years ago and hard-coded to expect data over unencrypted HTTP. A sudden, mandatory switch to HTTPS might break these data feeds.
“I do know that the BoM has not ignored the problem completely. They have been using HTTPS on various subdomains for specific services and APIs, demonstrating that they own the necessary SSL certificates and have the technical capability. They also promote newer, modernised weather portals that fully support HTTPS,” he added.
Baka estimated the age of the outdated systems that the bureau had been relying on until recently at around 20 years old.
To provide perspective on what it has taken to bring these systems up-to-date and what a luxury HTTPS would have been for the bureau to implement earlier, consider what it has cost, both directly and indirectly, to launch the new HTTPS version of the website.
Its new skin alone – the redesign for the new public interface – cost $4.1 million, but that’s a drop in the ocean compared to the staggering total bill that Accenture and others handed to taxpayers for all supporting contracts covering website design, underpinning ICT infrastructure and data integration, the website's functional build and technical support services.
According to The Guardian’s Australian online masthead, it reached $86 million – blowing past its original $31 million budget like a McLaren passing a moped, waving slowly.
The bureau more or less confirmed the figure for iTnews.
“The total cost of the ROBUST program was $866m, with approximately 10 percent of that investment connected to the overall website and its supporting systems,” a bureau fact checker confirmed.
In an earlier statement to iTnews the bureau said:
“The bureau's current contract with Accenture is focused on the functional build and support services, however all elements, in combination with expertise and effort of bureau staff, were required to produce and support the new site".
Getting up near a billion dollars in overall technology budget spent in recent years, internal bureau staff were still needed to make the sparkling new version of the site even a going concern let alone secure.
Observers will make of that what they will, but arguably the key performance indicator that the bureau needs to be monitoring most closely now is that coming from the court of public opinion.
At the time of writing, a quick Google for the term 'BoM website overhaul, under the 'news' tab produced, among others, the following headlines:
Cost of BoM’s website revamp revealed after deluge of public criticism – Guardian Australia
‘Bring back the old one’: BOM’s new website savaged online – The Adelaide Advertiser
Major update after BOM’s ‘s**t’ redesign – News.com.au
Storm in a teacup or dark clouds: why do people hate the BoM website redesign – Guardian Australia
The $4.1 million question: How did the BOM get its new website so wrong? – The Sydney Morning Herald
Bureau abandons costly, controversial website redesign – The Australian
And on and on it went in that vein and the tsunami of weather puns from the subs desks around the country has barely abated since.
iTnews happened to ask the bureau how long it planned to keep the outgoing version of the website running.
“At this stage, there is no set date to turn off the ‘legacy’ [their emphasis] website. The Bureau will gradually move content from the ‘legacy’ website [their emphasis again] to the new website,” the spokesperson said.
It would be fair to say, by the looks of the state of things, it will be a very gradual process indeed.
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
Digital NSW 2025 Showcase
_(1).jpg&h=140&w=231&c=1&s=0)
