Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Monday April 24 2017, @07:31AM   Printer-friendly
from the one-step-forward,-two-steps-back dept.

The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:

Public PAIR Maintenance and Outage

The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.

During the maintenance period, Public PAIR will be unavailable.

Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.

Can anyone explain why there would be this seemingly backwards move to insecure communications?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Soylentbob on Monday April 24 2017, @11:22AM (3 children)

    by Soylentbob (6519) on Monday April 24 2017, @11:22AM (#498774)

    True, https has its weaknesses. E.g. the puny-codes [securityintelligence.com], which can enable phishing attacks. And yes, when talking to Bob, Bob knows about the content of the communication, even if we communicate encrypted. Not very surprising.

    But if I talk to bob, there is no reason to make the communication entirely public.

    And not everyone concerned about privacy is concerned about the Government in the first place. Some just don't want the provide to harvest all the data [washingtonpost.com] and sell it to the highest bidder.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Disagree) by theluggage on Monday April 24 2017, @02:54PM (2 children)

    by theluggage (1797) on Monday April 24 2017, @02:54PM (#498869)

    And yes, when talking to Bob, Bob knows about the content of the communication, even if we communicate encrypted. Not very surprising.

    Explain that (using short words) to people trying to implement Digital Rights Management :-)

    But if I talk to bob, there is no reason to make the communication entirely public.

    True - if you're having a conversation or sending your data to a site. Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc. That's if you didn't get there by Google in the first place... Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you. If you're paranoid about being eavesdropped even when reading publicly available information then you really need to use something like Tor.

    What probably happened here is that someone in a big.gov.org made the mistake of asking about the procurement process for a new SSL certificate and decided that the internet would be obsolete before it came through (any bureaucrat worth their C-56/b annex ii could give you six reasons why you couldn't use LetsEncrypt - and anything that's going to need a $50 renewal in 2 year's time after the current project code has been terminated is guaranteed to fail).

    • (Score: 2) by Soylentbob on Monday April 24 2017, @03:07PM

      by Soylentbob (6519) on Monday April 24 2017, @03:07PM (#498876)

      Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc.

      But is will be more difficult with https for AT&T [webpolicy.org], Comcast [theregister.co.uk] and others to inject their JavasCrapt. Also it will be more difficult for my provider to sell my browser-history, or for my purely hypothetical over-ambitious colleague to guesstimate on what project I'm working by seeing which patents I look up.

      Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you.

      I could go to some lengths and remove insecure root-authorities, but even without that effort my provider would be hard-pressed to get fake-certificates for all websites I visit.

    • (Score: 0) by Anonymous Coward on Monday April 24 2017, @05:55PM

      by Anonymous Coward on Monday April 24 2017, @05:55PM (#498960)

      Incorrect, the information may be public but who is looking at it and reviewing any given documents should NOT be public knowledge. If I'm working on some new wireless tech patent I don't want some big company to be able to record the various patents I'm looking into to then undermine my efforts. I think that is the real reason behind this switchover.