What practical difference does it make if I connect to an Australian weather forecast site via HTTP or HTTPS? Is the NZ secret police gonna MITM a rain forecast my way when it's actually gonna be a very sunny day?
A government site has implicit authority. You could use that implicit authority to make a scam look more authentic. It also will have a lot of traffic; a lot of opportunities for the scam to work if you do manage to get in the middle.
For example, inject a dialog box that says "Our records indicate your taxes were not paid this year! Before you can view the weather you must click here and log in to resolve this issue!".
Aside from browsing history, privacy implications, some ISPs insert adverts, into the HTML - possibly opening up the user, to drive by browser exploits…
The reality is, it’s not complicated to add HTTPS, as a feature, so there’s no good reason as to why it’s not implemented - aside from incompetence, or trying to save money, on staff?!
> In the same way as walking to the bank is dangerous because any party on the way can rob you on the way?
To make this analogy more fitting, you'd also need a big sign around your head "going to do some banking, carrying all necessary credentials, cannot tell legitimate bank from fake bank".
Imagine a major weather event is coming and a warning banner shows on the weather site telling you to stay off the roads. But some carelessly injected ad covers it, or the injected CSS makes it unreadable. You don't see it and suffer a crash.
Government communications should not be subjected to arbitrary modification by intermediaries. Ad injection on HTTP is (or at least was, when unencrypted HTTP was popular) common. It also raises the concern that the ad will appear to have government sponsorship, which invites scams and other malvertising.
A government agency should seek to communicate information with the public, especially safety information, via an untamperable communication channel.
As a site its considerably less authorative than you seem to believe; people get weather warnings here in Australia from the TV, from the radio, from apps on their phones, from looking outside and seeing weather fronts rolling in.
Few people actually directly visit the BoM site, those that do are generally long time users familiar with the site using the usual array of adblockers and noscript, unlikely to fall for "Click here" injection attacks, and more likely to have a direct fibre | line connection to a major ISP to BoM with little chance for malicious injection in any case.
The risks are understood and doomsday scenarios have yet to occur after nearly 40 odd years online as a non https site.
Now you mention it, I only really see police cars around here - quite rare to see police walking.
I guess this is an effect of having built a digital panopticon. As pretty much everything we do leaves a digital trace and as one is oblivious to being observed (with observation potentially occurring in the future as automated agents run over data) the potential scrutiny changes behaviour. And that in turn allows for a decrease the number of police required to be physically present.
For example, inject a dialog box that says "Our records indicate your taxes were not paid this year! Before you can view the weather you must click here and log in to resolve this issue!".