SoylentNews is people
SoylentNews
The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:
Public PAIR Maintenance and Outage
The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.
During the maintenance period, Public PAIR will be unavailable.
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
Can anyone explain why there would be this seemingly backwards move to insecure communications?
(Score: 0) by Anonymous Coward on Monday April 24 2017, @08:37AM (7 children)
Yes that can be done, but it's a very specific attack, and if you are target of such an attack, chances some zero day or physical interference is going to be used too, and https won't save you either. The price to pay is no caching.
Personally this kind of problem (lots of public data, some content check required, https too expensive on the infrastructure, non mainstream users) screams IPFS or git or torrent.
(Score: 2, Interesting) by Anonymous Coward on Monday April 24 2017, @09:26AM
Maybe there's a need for a variant between HTTP and HTTPS where content is signed (and thus guaranteed not to be tampered with) but not encrypted (so that caching etc. continues to work well). Let's call it HTTPV (for HTTP Verified).
(Score: 2) by c0lo on Monday April 24 2017, @09:42AM
Mmmm... if I'm changing my tablet every 3-4 days and take care of it, you'll have a hard time even with physical access.
Price for a new cheap tablet for me - $35 [aliexpress.com]. Price for you to pay someone to physically access the tablet - what the daily salary for an TLA agent nowadays?
Then, of course, there's the much cheaper $5 wrench [xkcd.com] attack
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by Leebert on Monday April 24 2017, @11:23AM (4 children)
You're overthinking the threat model here. I'll give you a "for instance": Get onto a Southwest Airlines flight, connect to (and pay for) their wifi, and marvel at them injecting JavaScript into every single HTTP request.
(Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @11:51AM (3 children)
1. Sue them for interfering with a communication channel
2. Use a VPN
(Score: 0) by Anonymous Coward on Monday April 24 2017, @01:29PM (1 child)
Wait, you mean people actually use those public wifi services without using VPNs?
I guess people really are that stupid...
(Score: 1, Insightful) by Anonymous Coward on Monday April 24 2017, @07:51PM
No, people are ignorant not stupid. As a saavy tech user it is really easy to dismiss stuff we see as simple and easy to figure out. For most people setting up their browser to use a VPN is a very difficult and technical task. That is even if they know what a VPN is or that public wifi connections are really that dangerous!
(Score: 2) by Immerman on Monday April 24 2017, @01:40PM
(1) is kind of difficult when they said they'd do as much on page 57 subparagraph 12 of the fine print you agreed to when accessing their service (I'm assuming it's in there, if not it would be added as soon as the first lawsuit was filed)
Https offers a technical solution so that they and their ilk don't have the option in the first place.