SoylentNews is people
SoylentNews
The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:
Public PAIR Maintenance and Outage
The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.
During the maintenance period, Public PAIR will be unavailable.
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
Can anyone explain why there would be this seemingly backwards move to insecure communications?
(Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @07:56AM (42 children)
Well that settles that. Free public nonsensitive unclassified information must be transmitted using unbreakable military grade encryption even when unnecessary. Trends must be followed because trends are trends and we the elite nerdy nerds follow the latest trends especially when trends make no sense!!!!
....... dorks.
(Score: 5, Insightful) by isostatic on Monday April 24 2017, @08:20AM (23 children)
It's not about people listening, it's about people changing it. A man in the middle can easilly change your http connection to change or omit vital bits from your patent browing. There's also the privacy angle where your ISP knows what patents you're looking for. Currently only google has that information, how can the ISP sell that search history on when everything is https?
(Score: 5, Insightful) by NCommander on Monday April 24 2017, @08:29AM (1 child)
Taking the argument one step further, a mass dragnet of internet traffic can't work if you can't tell what's in it. Granted, due to the fundamental nature of IP networks, you can always tell X talked to Y and got this DNS name, but you can't tell if he was looking to file a patent, review a bunch of other ones, etc.
Tin foil aside, the push to mass-encrypt the web wouldn't have taken off if there wasn't a feeling that it was necessary.
Still always moving
(Score: 4, Insightful) by zocalo on Monday April 24 2017, @08:56AM
Or maybe it's just technical. Something along the lines of budgets are tight, malicious traffic is up, and they can't effectively filter hostile HTTP traffic without either; a) forcing traffic to HTTP so they can do packet inspection with what tools they have, or; b) making cuts elsewhere in order to afford the necessary upgrades to HTTPS filtering. Sure, it might only mean a bunch of reverse proxies and their installation, but once you've allowed for all the pork you're going to be talking some serious money there...
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Monday April 24 2017, @08:37AM (7 children)
Yes that can be done, but it's a very specific attack, and if you are target of such an attack, chances some zero day or physical interference is going to be used too, and https won't save you either. The price to pay is no caching.
Personally this kind of problem (lots of public data, some content check required, https too expensive on the infrastructure, non mainstream users) screams IPFS or git or torrent.
(Score: 2, Interesting) by Anonymous Coward on Monday April 24 2017, @09:26AM
Maybe there's a need for a variant between HTTP and HTTPS where content is signed (and thus guaranteed not to be tampered with) but not encrypted (so that caching etc. continues to work well). Let's call it HTTPV (for HTTP Verified).
(Score: 2) by c0lo on Monday April 24 2017, @09:42AM
Mmmm... if I'm changing my tablet every 3-4 days and take care of it, you'll have a hard time even with physical access.
Price for a new cheap tablet for me - $35 [aliexpress.com]. Price for you to pay someone to physically access the tablet - what the daily salary for an TLA agent nowadays?
Then, of course, there's the much cheaper $5 wrench [xkcd.com] attack
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by Leebert on Monday April 24 2017, @11:23AM (4 children)
You're overthinking the threat model here. I'll give you a "for instance": Get onto a Southwest Airlines flight, connect to (and pay for) their wifi, and marvel at them injecting JavaScript into every single HTTP request.
(Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @11:51AM (3 children)
1. Sue them for interfering with a communication channel
2. Use a VPN
(Score: 0) by Anonymous Coward on Monday April 24 2017, @01:29PM (1 child)
Wait, you mean people actually use those public wifi services without using VPNs?
I guess people really are that stupid...
(Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @07:51PM
No, people are ignorant not stupid. As a saavy tech user it is really easy to dismiss stuff we see as simple and easy to figure out. For most people setting up their browser to use a VPN is a very difficult and technical task. That is even if they know what a VPN is or that public wifi connections are really that dangerous!
(Score: 2) by Immerman on Monday April 24 2017, @01:40PM
(1) is kind of difficult when they said they'd do as much on page 57 subparagraph 12 of the fine print you agreed to when accessing their service (I'm assuming it's in there, if not it would be added as soon as the first lawsuit was filed)
Https offers a technical solution so that they and their ilk don't have the option in the first place.
(Score: 2) by driverless on Monday April 24 2017, @09:43AM (11 children)
It's not about people listening, it's about people changing it. A man in the middle can easilly change your http connection to change or omit vital bits from your patent browing.
That's the exact same argument the legal profession have been using for years to avoid putting public laws, court decisions, and other legal documents online. It makes about as much sense here as it does when the lawyers are using as an excuse it avoid giving the public access to legal/court documents.
(Score: 2) by isostatic on Monday April 24 2017, @09:51AM (10 children)
Of course they should be online, but they should be signed (which https does) to avoid tampering.
(Score: 2) by driverless on Monday April 24 2017, @10:22AM (8 children)
Why? What actual, real-world problem that attackers have actively exploited in the past and that needs to be dealt with is being prevented here?
(Score: 3, Informative) by isostatic on Monday April 24 2017, @11:15AM (7 children)
Why? What actual, real-world problem that attackers have actively exploited in the past and that needs to be dealt with is being prevented here?
https://yro.slashdot.org/story/07/06/23/1233212/ISPs-Inserting-Ads-Into-Your-Pages [slashdot.org]
(Score: 2) by driverless on Monday April 24 2017, @12:34PM (6 children)
And what does that have to do with someone subtly modifying claims in patent documents as the OP suggested? Have ISPs been caught doing that?
(Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @12:43PM
Do you really trust ad-pushers not to write code that deletes sections of pages by accident?
(Score: 2) by Scruffy Beard 2 on Monday April 24 2017, @01:43PM (2 children)
Looking for a new ISP based on the TOS was awkward when I learned that my ISP was doing AD injection. Most others did not support HTTPS at the time, but my ISP did. Obviously, they understood the power of the dark side.
They could have easily made it look like all of their major competitors has egregious terms.
Then there is the unsecured AP problem. Many "Free" APs tamper with the Internet to varying degrees.
(Score: 0) by Anonymous Coward on Monday April 24 2017, @05:57PM (1 child)
Err, what? Your ISP does not need to support HTTPS, it only needs to support faithfully transporting packets according to the internet protocol specification. Only the server and the client need to support HTTPS.
(Score: 2) by Pino P on Tuesday April 25 2017, @02:39PM
Your ISP does not need to support HTTPS, it only needs to support faithfully transporting packets according to the internet protocol specification.
An ISP in a remote area whose upstream is slow and/or capped [codinghorror.com] would have an excuse to charge subscribers extra for "faithfully transporting packets according to the internet protocol specification" as opposed to running HTTP and HTTPS through the ISP's caching MITM. It'd be listed on subscribers' bills as a "Cache Miss Surcharge".
(Score: 0) by Anonymous Coward on Monday April 24 2017, @02:06PM
http://www.dailytech.com/Best+Buy+Sued+Over+Bogus+Web+Site/article7450.htm [dailytech.com]
Not really the same, but had they not been caught you could image them extending this to traffic flowing over their in-store wifi. Never trust a business to put the customer's interest first. Business is all about money and any action that appears to indicate otherwise has a hidden financial motivation. If any business, be it a retailer or an ISP, has a financial advantage in alerting your traffic and can get away with it you know damn well they will.
(Score: 2) by Pino P on Tuesday April 25 2017, @02:34PM
And what does [inserting advertisements into pages delivered through cleartext HTTP] have to do with someone subtly modifying claims in patent documents as the OP suggested?
The technical ability to perform one implies the technical ability to perform the other.
Have ISPs been caught doing that?
Not yet.
(Score: 2, Interesting) by Anonymous Coward on Monday April 24 2017, @12:34PM
Well, HTTPS authentication gives some, but not a lot, of confidence that documents have not been tampered with. The only authentication HTTPS provides is done with keys stored on the web server delivering the documents. Usually these servers are of marginal trust as
If you actually care about authenticating documents delivered by web servers, you need to use something like GPG detached signatures, which are generated and verified offline.
(Score: 0) by Anonymous Coward on Monday April 24 2017, @12:23PM
HTTPS doesn't actually help an awful lot with this sort of privacy concern, because it does nothing to conceal traffic flow.
A passive observer of HTTPS traffic knows:
(a) Who you are talking to
(b) How much data you sent, and exactly when you sent it
(c) How much data you received, and exactly when you received it.
So because of (a) the eavesdropper knows you are talking to USPTO. With (b) and (c) the eavesdropper can likely determine exactly which USPTO documents you are veiwing with very high confidence, especially if you access more than one.
(Score: 3, Informative) by Soylentbob on Monday April 24 2017, @08:32AM (10 children)
It's about data integrity and privacy. Also they are removing an already implemented feature, and since they are at least sane enough to still use https for authentication (eFile (registered) [uspto.gov] from the main-page) they need to update the certificate anyway. So, the imo valid question is: Why?
(Score: 3, Insightful) by fyngyrz on Monday April 24 2017, @11:47AM (8 children)
Possible answers for various organizations making the choice to serve http include:
(Score: 5, Insightful) by Soylentbob on Monday April 24 2017, @12:42PM (7 children)
Switching between https and http can result in browser warnings, disorienting the visitor, for instance if your page includes assets not served by ssl
Yes. One reason why it is better to stay with https, since the login already requires https.
https hides what you do. That may be the opposite of government intent when you access an open resource
It's a government side. They can see in their logs what people do.
https can be considered the opposite of transparency of government service
No, it can't, not by a reasonable person with a straight face. The government still gets all data they need and can publish e.g. statistics. Publishing each request and leaving the response open to manipulation is not transparency.
There's a performance penalty (varies... hardware capability, etc.) at the server to deliver https
True, but neglectible
That same performance penalty is a green issue under present non-green power supplies, particularly when looked at as a global factor
There are much more reasonable ways to achieve green-it, cutting down on security is not it.
public proxy caching does not work for SSL traffic
Who uses public proxies nowadays? Doesn't work for most ultra-dynamic websites anyway.
http content can be served without cert validation, which allows it to come from anywhere. This may be a design intent, despite the potential black-hat consequences
How could this be a design-intent?
older system compatibility for multiple virtual hosts - XP is still pretty much everywhere
Isn't XP out of maintenance already?
(Score: 2) by AndyTheAbsurd on Monday April 24 2017, @02:05PM (4 children)
No, it can't, not by a reasonable person with a straight face.
There aren't that many reasonable people - especially in government.
There's a performance penalty (varies... hardware capability, etc.) at the server to deliver https
True, but neglectible
Not on any sort of large scale (especially when combined with a government non-military budget), it isn't.
Isn't XP out of maintenance already?
Yes, but that doesn't stop quite a large number of people who think "it's been always been good enough, why would I change?", or that they don't have enough money for a more modern computer, or any number of other BS excuses, from using it.
Please note my username before responding. You may have been trolled.
(Score: 3, Informative) by Soylentbob on Monday April 24 2017, @02:45PM (3 children)
Not on any sort of large scale (especially when combined with a government non-military budget), it isn't.
According to this [imperialviolet.org] link, Google switching to https for gmail saw an increase of less than 1% CPU usage, less than 10kb of memory per connection and less than 2% of network load increase. The load is only significant at all on session start, so downloading any bigger artifact should skew the numbers in favour of https.
Isn't XP out of maintenance already?
Yes, but that doesn't stop quite a large number of people who think "it's been always been good enough, why would I change?", or that they don't have enough money for a more modern computer, or any number of other BS excuses, from using it.
The website was operating with https before, so old servers shouldn't be the problem here.
But if I got your post correct, you wanted to state that incompetence and botched up processes could be a driving factor for this decision, and that is something I can believe easily.
(Score: 1) by fyngyrz on Monday April 24 2017, @07:17PM (2 children)
1% is not a minor power footprint impact for such installations in aggregate. That's also only with modern hardware. Not every installation meets that 1% cost.
(Score: 2) by Soylentbob on Monday April 24 2017, @08:19PM (1 child)
That's also only with modern hardware.
The article was from 2010 (7 years ago), I don't think hardware from that time still counts as modern anymore. The AES instruction set [wikipedia.org] for x86 was proposed 2008, so it was very likely not available in Google Servers 2010, but should very likely be available on most servers in use today. Therefore the
less than 1%
should go down again considerably. If they are running their servers actually on > 7 year old hardware, they should consider an upgrade; if they are running a big infrastructure, the savings in electricity will soon outweigh the investment in new CPUs
(Score: 1) by fyngyrz on Monday April 24 2017, @11:02PM
Okay, but modern... how modern do we have to be? More to the point, how modern are we?
I have an 8GB/8-core (dual 4-core XEON) from 2008. It's a pretty good workhorse, and there's no particular reason to retire it because of that. It's not my daily driver anymore (that's a 64GB/12...24-core from 2009, not too far down the hardware road from the 8-core, actually), but the 8-core does host a bunch of websites.
Personally speaking, I'm really not with the program when it comes to throwing out hardware that works well, particularly if the suggested justification is to get more efficient at something I don't really see a whole lot of need to do in the first place. Nor do I see any reason to run the machine harder just so no one can possibly see that the web page visitors are looking at a timeline from 1800, or that they are interested in my SDR software, my text markup language, etc.
Passwords and the like, sure. Medical, email and financial data too. For those who deal with them. Perhaps porn, if one shames easily.
The rest? Frankly, it strikes me as leaning well towards the paranoid.
By far, I see the main problem for us in terms of (KnowingStuff == PowerOverUs == DangerToUs) as coming directly from the government, and as the voters are't willing to rein them in worth a frog's fart, well, I can only draw the conclusion they're not very serious about any of this anyway. Amazon knows what I surf for? I just can't bring myself to really care. They're no threat to me.
Perhaps someone will convince me someday. That'd be interesting.
(Score: 1, Informative) by Anonymous Coward on Monday April 24 2017, @03:38PM
Isn't XP out of maintenance already?
Software that is not inextricably bound to the cloud does not burst into flames the minute the software company says so, even though Microsoft very much laments this (and is arguably trying to correct it by preventing people from actually controlling their software).
(Score: 3, Interesting) by Pino P on Tuesday April 25 2017, @02:47PM
Yes. One reason why it is better to stay with https, since the login already requires https.
Say a site relies on a third-party resources available only through cleartext HTTP. Running the whole site on HTTPS would trigger mixed content blocking when the site attempts to retrieve a third-party resource. I can't think of any such third-party resources presently in use on USPTO.gov, but until a few days ago, CanIUse.com's API was available only through cleartext HTTP [github.com]. And for a long time, ad servers were HTTP-only as well.
Who uses public proxies nowadays?
Mostly people in remote areas, where the ISP operates a caching proxy because its own upstream is slow and/or capped.
(Score: 0) by Anonymous Coward on Monday April 24 2017, @06:07PM
So they use HTTPS for the login credentials … but what about the accesses while logged in? Every access will need to transmit a token that authenticates that you are the user who logged in. If that is transmitted unencrypted, it's almost as bad as transmitting the original login credentials unencrypted.
(Score: 3, Touché) by theluggage on Monday April 24 2017, @09:55AM (4 children)
Free public nonsensitive unclassified information must be transmitted using unbreakable military grade encryption
...undermined by a laughably weak certificate system designed to meet an impossible brief (let Alice securely communicate with Bob without making any conscious effort to verify Bob's identity) run by lowest-bidder certificate authorities. Never forget that bit - because strong encryption alone won't prevent MITM attacks or bogus sites which are the main reasons people argue for universal HTTPS.
Oh, and pro tip: if you visit a site ending in ".gov" - HTTPS or not - then the Government knows what you've done.
(Score: 2) by Soylentbob on Monday April 24 2017, @11:22AM (3 children)
True, https has its weaknesses. E.g. the puny-codes [securityintelligence.com], which can enable phishing attacks. And yes, when talking to Bob, Bob knows about the content of the communication, even if we communicate encrypted. Not very surprising.
But if I talk to bob, there is no reason to make the communication entirely public.
And not everyone concerned about privacy is concerned about the Government in the first place. Some just don't want the provide to harvest all the data [washingtonpost.com] and sell it to the highest bidder.
(Score: 2, Disagree) by theluggage on Monday April 24 2017, @02:54PM (2 children)
And yes, when talking to Bob, Bob knows about the content of the communication, even if we communicate encrypted. Not very surprising.
Explain that (using short words) to people trying to implement Digital Rights Management :-)
But if I talk to bob, there is no reason to make the communication entirely public.
True - if you're having a conversation or sending your data to a site. Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc. That's if you didn't get there by Google in the first place... Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you. If you're paranoid about being eavesdropped even when reading publicly available information then you really need to use something like Tor.
What probably happened here is that someone in a big.gov.org made the mistake of asking about the procurement process for a new SSL certificate and decided that the internet would be obsolete before it came through (any bureaucrat worth their C-56/b annex ii could give you six reasons why you couldn't use LetsEncrypt - and anything that's going to need a $50 renewal in 2 year's time after the current project code has been terminated is guaranteed to fail).
(Score: 2) by Soylentbob on Monday April 24 2017, @03:07PM
Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc.
But is will be more difficult with https for AT&T [webpolicy.org], Comcast [theregister.co.uk] and others to inject their JavasCrapt. Also it will be more difficult for my provider to sell my browser-history, or for my purely hypothetical over-ambitious colleague to guesstimate on what project I'm working by seeing which patents I look up.
Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you.
I could go to some lengths and remove insecure root-authorities, but even without that effort my provider would be hard-pressed to get fake-certificates for all websites I visit.
(Score: 0) by Anonymous Coward on Monday April 24 2017, @05:55PM
Incorrect, the information may be public but who is looking at it and reviewing any given documents should NOT be public knowledge. If I'm working on some new wireless tech patent I don't want some big company to be able to record the various patents I'm looking into to then undermine my efforts. I think that is the real reason behind this switchover.
(Score: 2) by c0lo on Monday April 24 2017, @01:04PM
Next time, when your tiny brain can't make sense of it, you only need to ask.
You see, when all connections are encrypted, there's little to jump in the eye of NSA when somebody really need private communication, 'cause everybody uses encryption by default.
If all the traffic is plain, any encrypted communication becomes immediately visible and suspect, even when legit.
I'm sorry if your job becomes harder now, but cheer up... you have grounds to ask for a raise if that's the case.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday April 24 2017, @05:28PM
With HTTP they can now track an individuals patent research, then some clever team can figure out what they are likely working on and scramble their team of lawyers to get a patent in first.
It is like corporate espionage, but given the blessing of government now that corporations can sell user traffic data.