The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:
Public PAIR Maintenance and Outage
The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.
During the maintenance period, Public PAIR will be unavailable.
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
Can anyone explain why there would be this seemingly backwards move to insecure communications?
(Score: 2) by Soylentbob on Monday April 24 2017, @03:07PM
Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc.
But is will be more difficult with https for AT&T [webpolicy.org], Comcast [theregister.co.uk] and others to inject their JavasCrapt. Also it will be more difficult for my provider to sell my browser-history, or for my purely hypothetical over-ambitious colleague to guesstimate on what project I'm working by seeing which patents I look up.
Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you.
I could go to some lengths and remove insecure root-authorities, but even without that effort my provider would be hard-pressed to get fake-certificates for all websites I visit.