Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Monday April 24 2017, @07:31AM   Printer-friendly
from the one-step-forward,-two-steps-back dept.

The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:

Public PAIR Maintenance and Outage

The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.

During the maintenance period, Public PAIR will be unavailable.

Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.

Can anyone explain why there would be this seemingly backwards move to insecure communications?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by isostatic on Monday April 24 2017, @08:20AM (23 children)

    by isostatic (365) on Monday April 24 2017, @08:20AM (#498706) Journal

    It's not about people listening, it's about people changing it. A man in the middle can easilly change your http connection to change or omit vital bits from your patent browing. There's also the privacy angle where your ISP knows what patents you're looking for. Currently only google has that information, how can the ISP sell that search history on when everything is https?

    Starting Score:    1  point
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Insightful) by NCommander on Monday April 24 2017, @08:29AM (1 child)

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday April 24 2017, @08:29AM (#498708) Homepage Journal

    Taking the argument one step further, a mass dragnet of internet traffic can't work if you can't tell what's in it. Granted, due to the fundamental nature of IP networks, you can always tell X talked to Y and got this DNS name, but you can't tell if he was looking to file a patent, review a bunch of other ones, etc.

    Tin foil aside, the push to mass-encrypt the web wouldn't have taken off if there wasn't a feeling that it was necessary.

    --
    Still always moving
    • (Score: 4, Insightful) by zocalo on Monday April 24 2017, @08:56AM

      by zocalo (302) on Monday April 24 2017, @08:56AM (#498722)
      Unlike some public companies that have responded to requests for customer data with a legal counter challenge, I can't imagine the USPTO putting up much of a fight, if any, in the event of a request for access logs. That narrows things down a little more by removing the targetted retrival of information and really just leaves wholesale data gathering as the sole valid reason for the tinfoil hat wearing members of the peanut gallery.

      Or maybe it's just technical. Something along the lines of budgets are tight, malicious traffic is up, and they can't effectively filter hostile HTTP traffic without either; a) forcing traffic to HTTP so they can do packet inspection with what tools they have, or; b) making cuts elsewhere in order to afford the necessary upgrades to HTTPS filtering. Sure, it might only mean a bunch of reverse proxies and their installation, but once you've allowed for all the pork you're going to be talking some serious money there...
      --
      UNIX? They're not even circumcised! Savages!
  • (Score: 0) by Anonymous Coward on Monday April 24 2017, @08:37AM (7 children)

    by Anonymous Coward on Monday April 24 2017, @08:37AM (#498714)

    Yes that can be done, but it's a very specific attack, and if you are target of such an attack, chances some zero day or physical interference is going to be used too, and https won't save you either. The price to pay is no caching.
    Personally this kind of problem (lots of public data, some content check required, https too expensive on the infrastructure, non mainstream users) screams IPFS or git or torrent.

    • (Score: 2, Interesting) by Anonymous Coward on Monday April 24 2017, @09:26AM

      by Anonymous Coward on Monday April 24 2017, @09:26AM (#498733)

      Maybe there's a need for a variant between HTTP and HTTPS where content is signed (and thus guaranteed not to be tampered with) but not encrypted (so that caching etc. continues to work well). Let's call it HTTPV (for HTTP Verified).

    • (Score: 2) by c0lo on Monday April 24 2017, @09:42AM

      by c0lo (156) Subscriber Badge on Monday April 24 2017, @09:42AM (#498739) Journal

      chances some zero day or physical interference is going to be used too, and https won't save you either. The price to pay is no caching.

      Mmmm... if I'm changing my tablet every 3-4 days and take care of it, you'll have a hard time even with physical access.

      Price for a new cheap tablet for me - $35 [aliexpress.com]. Price for you to pay someone to physically access the tablet - what the daily salary for an TLA agent nowadays?

      Then, of course, there's the much cheaper $5 wrench [xkcd.com] attack

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 4, Informative) by Leebert on Monday April 24 2017, @11:23AM (4 children)

      by Leebert (3511) on Monday April 24 2017, @11:23AM (#498775)

      You're overthinking the threat model here. I'll give you a "for instance": Get onto a Southwest Airlines flight, connect to (and pay for) their wifi, and marvel at them injecting JavaScript into every single HTTP request.

      • (Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @11:51AM (3 children)

        by Anonymous Coward on Monday April 24 2017, @11:51AM (#498780)

        1. Sue them for interfering with a communication channel

        2. Use a VPN

        • (Score: 0) by Anonymous Coward on Monday April 24 2017, @01:29PM (1 child)

          by Anonymous Coward on Monday April 24 2017, @01:29PM (#498819)

          2. Use a VPN

          Wait, you mean people actually use those public wifi services without using VPNs?

          I guess people really are that stupid...

          • (Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @07:51PM

            by Anonymous Coward on Monday April 24 2017, @07:51PM (#499024)

            No, people are ignorant not stupid. As a saavy tech user it is really easy to dismiss stuff we see as simple and easy to figure out. For most people setting up their browser to use a VPN is a very difficult and technical task. That is even if they know what a VPN is or that public wifi connections are really that dangerous!

        • (Score: 2) by Immerman on Monday April 24 2017, @01:40PM

          by Immerman (3985) on Monday April 24 2017, @01:40PM (#498829)

          (1) is kind of difficult when they said they'd do as much on page 57 subparagraph 12 of the fine print you agreed to when accessing their service (I'm assuming it's in there, if not it would be added as soon as the first lawsuit was filed)

          Https offers a technical solution so that they and their ilk don't have the option in the first place.

  • (Score: 2) by driverless on Monday April 24 2017, @09:43AM (11 children)

    by driverless (4770) on Monday April 24 2017, @09:43AM (#498742)

    It's not about people listening, it's about people changing it. A man in the middle can easilly change your http connection to change or omit vital bits from your patent browing.

    That's the exact same argument the legal profession have been using for years to avoid putting public laws, court decisions, and other legal documents online. It makes about as much sense here as it does when the lawyers are using as an excuse it avoid giving the public access to legal/court documents.

    • (Score: 2) by isostatic on Monday April 24 2017, @09:51AM (10 children)

      by isostatic (365) on Monday April 24 2017, @09:51AM (#498747) Journal

      Of course they should be online, but they should be signed (which https does) to avoid tampering.

      • (Score: 2) by driverless on Monday April 24 2017, @10:22AM (8 children)

        by driverless (4770) on Monday April 24 2017, @10:22AM (#498759)

        Why? What actual, real-world problem that attackers have actively exploited in the past and that needs to be dealt with is being prevented here?

        • (Score: 3, Informative) by isostatic on Monday April 24 2017, @11:15AM (7 children)

          by isostatic (365) on Monday April 24 2017, @11:15AM (#498771) Journal

          Why? What actual, real-world problem that attackers have actively exploited in the past and that needs to be dealt with is being prevented here?

          https://yro.slashdot.org/story/07/06/23/1233212/ISPs-Inserting-Ads-Into-Your-Pages [slashdot.org]

          • (Score: 2) by driverless on Monday April 24 2017, @12:34PM (6 children)

            by driverless (4770) on Monday April 24 2017, @12:34PM (#498794)

            And what does that have to do with someone subtly modifying claims in patent documents as the OP suggested? Have ISPs been caught doing that?

            • (Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @12:43PM

              by Anonymous Coward on Monday April 24 2017, @12:43PM (#498799)

              Do you really trust ad-pushers not to write code that deletes sections of pages by accident?

            • (Score: 2) by Scruffy Beard 2 on Monday April 24 2017, @01:43PM (2 children)

              by Scruffy Beard 2 (6030) on Monday April 24 2017, @01:43PM (#498833)

              Looking for a new ISP based on the TOS was awkward when I learned that my ISP was doing AD injection. Most others did not support HTTPS at the time, but my ISP did. Obviously, they understood the power of the dark side.

              They could have easily made it look like all of their major competitors has egregious terms.

              Then there is the unsecured AP problem. Many "Free" APs tamper with the Internet to varying degrees.

              • (Score: 0) by Anonymous Coward on Monday April 24 2017, @05:57PM (1 child)

                by Anonymous Coward on Monday April 24 2017, @05:57PM (#498961)

                Most others did not support HTTPS at the time, but my ISP did.

                Err, what? Your ISP does not need to support HTTPS, it only needs to support faithfully transporting packets according to the internet protocol specification. Only the server and the client need to support HTTPS.

                • (Score: 2) by Pino P on Tuesday April 25 2017, @02:39PM

                  by Pino P (4721) on Tuesday April 25 2017, @02:39PM (#499310) Journal

                  Your ISP does not need to support HTTPS, it only needs to support faithfully transporting packets according to the internet protocol specification.

                  An ISP in a remote area whose upstream is slow and/or capped [codinghorror.com] would have an excuse to charge subscribers extra for "faithfully transporting packets according to the internet protocol specification" as opposed to running HTTP and HTTPS through the ISP's caching MITM. It'd be listed on subscribers' bills as a "Cache Miss Surcharge".

            • (Score: 0) by Anonymous Coward on Monday April 24 2017, @02:06PM

              by Anonymous Coward on Monday April 24 2017, @02:06PM (#498841)

              http://www.dailytech.com/Best+Buy+Sued+Over+Bogus+Web+Site/article7450.htm [dailytech.com]

              Not really the same, but had they not been caught you could image them extending this to traffic flowing over their in-store wifi. Never trust a business to put the customer's interest first. Business is all about money and any action that appears to indicate otherwise has a hidden financial motivation. If any business, be it a retailer or an ISP, has a financial advantage in alerting your traffic and can get away with it you know damn well they will.

            • (Score: 2) by Pino P on Tuesday April 25 2017, @02:34PM

              by Pino P (4721) on Tuesday April 25 2017, @02:34PM (#499307) Journal

              And what does [inserting advertisements into pages delivered through cleartext HTTP] have to do with someone subtly modifying claims in patent documents as the OP suggested?

              The technical ability to perform one implies the technical ability to perform the other.

              Have ISPs been caught doing that?

              Not yet.

      • (Score: 2, Interesting) by Anonymous Coward on Monday April 24 2017, @12:34PM

        by Anonymous Coward on Monday April 24 2017, @12:34PM (#498795)

        Of course they should be online, but they should be signed (which https does) to avoid tampering.

        Well, HTTPS authentication gives some, but not a lot, of confidence that documents have not been tampered with. The only authentication HTTPS provides is done with keys stored on the web server delivering the documents. Usually these servers are of marginal trust as

        • almost everyone leases their servers from third parties
        • web servers are rarely secured particularly well.

        If you actually care about authenticating documents delivered by web servers, you need to use something like GPG detached signatures, which are generated and verified offline.

  • (Score: 0) by Anonymous Coward on Monday April 24 2017, @12:23PM

    by Anonymous Coward on Monday April 24 2017, @12:23PM (#498788)

    There's also the privacy angle where your ISP knows what patents you're looking for. Currently only google has that information, how can the ISP sell that search history on when everything is https?

    HTTPS doesn't actually help an awful lot with this sort of privacy concern, because it does nothing to conceal traffic flow.

    A passive observer of HTTPS traffic knows:

        (a) Who you are talking to
        (b) How much data you sent, and exactly when you sent it
        (c) How much data you received, and exactly when you received it.

    So because of (a) the eavesdropper knows you are talking to USPTO. With (b) and (c) the eavesdropper can likely determine exactly which USPTO documents you are veiwing with very high confidence, especially if you access more than one.