SoylentNews is people
SoylentNews
The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:
Public PAIR Maintenance and Outage
The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.
During the maintenance period, Public PAIR will be unavailable.
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
Can anyone explain why there would be this seemingly backwards move to insecure communications?
(Score: 3, Informative) by Soylentbob on Monday April 24 2017, @08:32AM (10 children)
It's about data integrity and privacy. Also they are removing an already implemented feature, and since they are at least sane enough to still use https for authentication (eFile (registered) [uspto.gov] from the main-page) they need to update the certificate anyway. So, the imo valid question is: Why?
(Score: 3, Insightful) by fyngyrz on Monday April 24 2017, @11:47AM (8 children)
Possible answers for various organizations making the choice to serve http include:
(Score: 5, Insightful) by Soylentbob on Monday April 24 2017, @12:42PM (7 children)
Switching between https and http can result in browser warnings, disorienting the visitor, for instance if your page includes assets not served by ssl
Yes. One reason why it is better to stay with https, since the login already requires https.
https hides what you do. That may be the opposite of government intent when you access an open resource
It's a government side. They can see in their logs what people do.
https can be considered the opposite of transparency of government service
No, it can't, not by a reasonable person with a straight face. The government still gets all data they need and can publish e.g. statistics. Publishing each request and leaving the response open to manipulation is not transparency.
There's a performance penalty (varies... hardware capability, etc.) at the server to deliver https
True, but neglectible
That same performance penalty is a green issue under present non-green power supplies, particularly when looked at as a global factor
There are much more reasonable ways to achieve green-it, cutting down on security is not it.
public proxy caching does not work for SSL traffic
Who uses public proxies nowadays? Doesn't work for most ultra-dynamic websites anyway.
http content can be served without cert validation, which allows it to come from anywhere. This may be a design intent, despite the potential black-hat consequences
How could this be a design-intent?
older system compatibility for multiple virtual hosts - XP is still pretty much everywhere
Isn't XP out of maintenance already?
(Score: 2) by AndyTheAbsurd on Monday April 24 2017, @02:05PM (4 children)
No, it can't, not by a reasonable person with a straight face.
There aren't that many reasonable people - especially in government.
There's a performance penalty (varies... hardware capability, etc.) at the server to deliver https
True, but neglectible
Not on any sort of large scale (especially when combined with a government non-military budget), it isn't.
Isn't XP out of maintenance already?
Yes, but that doesn't stop quite a large number of people who think "it's been always been good enough, why would I change?", or that they don't have enough money for a more modern computer, or any number of other BS excuses, from using it.
Please note my username before responding. You may have been trolled.
(Score: 3, Informative) by Soylentbob on Monday April 24 2017, @02:45PM (3 children)
Not on any sort of large scale (especially when combined with a government non-military budget), it isn't.
According to this [imperialviolet.org] link, Google switching to https for gmail saw an increase of less than 1% CPU usage, less than 10kb of memory per connection and less than 2% of network load increase. The load is only significant at all on session start, so downloading any bigger artifact should skew the numbers in favour of https.
Isn't XP out of maintenance already?
Yes, but that doesn't stop quite a large number of people who think "it's been always been good enough, why would I change?", or that they don't have enough money for a more modern computer, or any number of other BS excuses, from using it.
The website was operating with https before, so old servers shouldn't be the problem here.
But if I got your post correct, you wanted to state that incompetence and botched up processes could be a driving factor for this decision, and that is something I can believe easily.
(Score: 1) by fyngyrz on Monday April 24 2017, @07:17PM (2 children)
1% is not a minor power footprint impact for such installations in aggregate. That's also only with modern hardware. Not every installation meets that 1% cost.
(Score: 2) by Soylentbob on Monday April 24 2017, @08:19PM (1 child)
That's also only with modern hardware.
The article was from 2010 (7 years ago), I don't think hardware from that time still counts as modern anymore. The AES instruction set [wikipedia.org] for x86 was proposed 2008, so it was very likely not available in Google Servers 2010, but should very likely be available on most servers in use today. Therefore the
less than 1%
should go down again considerably. If they are running their servers actually on > 7 year old hardware, they should consider an upgrade; if they are running a big infrastructure, the savings in electricity will soon outweigh the investment in new CPUs
(Score: 1) by fyngyrz on Monday April 24 2017, @11:02PM
Okay, but modern... how modern do we have to be? More to the point, how modern are we?
I have an 8GB/8-core (dual 4-core XEON) from 2008. It's a pretty good workhorse, and there's no particular reason to retire it because of that. It's not my daily driver anymore (that's a 64GB/12...24-core from 2009, not too far down the hardware road from the 8-core, actually), but the 8-core does host a bunch of websites.
Personally speaking, I'm really not with the program when it comes to throwing out hardware that works well, particularly if the suggested justification is to get more efficient at something I don't really see a whole lot of need to do in the first place. Nor do I see any reason to run the machine harder just so no one can possibly see that the web page visitors are looking at a timeline from 1800, or that they are interested in my SDR software, my text markup language, etc.
Passwords and the like, sure. Medical, email and financial data too. For those who deal with them. Perhaps porn, if one shames easily.
The rest? Frankly, it strikes me as leaning well towards the paranoid.
By far, I see the main problem for us in terms of (KnowingStuff == PowerOverUs == DangerToUs) as coming directly from the government, and as the voters are't willing to rein them in worth a frog's fart, well, I can only draw the conclusion they're not very serious about any of this anyway. Amazon knows what I surf for? I just can't bring myself to really care. They're no threat to me.
Perhaps someone will convince me someday. That'd be interesting.
(Score: 1, Informative) by Anonymous Coward on Monday April 24 2017, @03:38PM
Isn't XP out of maintenance already?
Software that is not inextricably bound to the cloud does not burst into flames the minute the software company says so, even though Microsoft very much laments this (and is arguably trying to correct it by preventing people from actually controlling their software).
(Score: 3, Interesting) by Pino P on Tuesday April 25 2017, @02:47PM
Yes. One reason why it is better to stay with https, since the login already requires https.
Say a site relies on a third-party resources available only through cleartext HTTP. Running the whole site on HTTPS would trigger mixed content blocking when the site attempts to retrieve a third-party resource. I can't think of any such third-party resources presently in use on USPTO.gov, but until a few days ago, CanIUse.com's API was available only through cleartext HTTP [github.com]. And for a long time, ad servers were HTTP-only as well.
Who uses public proxies nowadays?
Mostly people in remote areas, where the ISP operates a caching proxy because its own upstream is slow and/or capped.
(Score: 0) by Anonymous Coward on Monday April 24 2017, @06:07PM
So they use HTTPS for the login credentials … but what about the accesses while logged in? Every access will need to transmit a token that authenticates that you are the user who logged in. If that is transmitted unencrypted, it's almost as bad as transmitting the original login credentials unencrypted.