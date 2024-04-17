from the one-step-forward,-two-steps-back dept.
The USPTO (Patent and Trademark Office) has updated its Public Patent Application Information Retrieval (Public-PAIR) service so that it no longer supports HTTPS (secure) access. From the announcement with emphasis added:
Public PAIR Maintenance and Outage
The USPTO will be performing maintenance on the Public Patent Application Information Retrieval (Public Pair) beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday, April 21 ET.
During the maintenance period, Public PAIR will be unavailable.
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
Can anyone explain why there would be this seemingly backwards move to insecure communications?
(Score: 1, Insightful) by Anonymous Coward on Monday April 24, @07:56AM (42 children)
Well that settles that. Free public nonsensitive unclassified information must be transmitted using unbreakable military grade encryption even when unnecessary. Trends must be followed because trends are trends and we the elite nerdy nerds follow the latest trends especially when trends make no sense!!!!
....... dorks.
Reply to This
(Score: 5, Insightful) by isostatic on Monday April 24, @08:20AM (23 children)
It's not about people listening, it's about people changing it. A man in the middle can easilly change your http connection to change or omit vital bits from your patent browing. There's also the privacy angle where your ISP knows what patents you're looking for. Currently only google has that information, how can the ISP sell that search history on when everything is https?
Reply to This
Parent
(Score: 5, Insightful) by NCommander on Monday April 24, @08:29AM (1 child)
Taking the argument one step further, a mass dragnet of internet traffic can't work if you can't tell what's in it. Granted, due to the fundamental nature of IP networks, you can always tell X talked to Y and got this DNS name, but you can't tell if he was looking to file a patent, review a bunch of other ones, etc.
Tin foil aside, the push to mass-encrypt the web wouldn't have taken off if there wasn't a feeling that it was necessary.
Still always moving
Reply to This
Parent
(Score: 4, Insightful) by zocalo on Monday April 24, @08:56AM
Or maybe it's just technical. Something along the lines of budgets are tight, malicious traffic is up, and they can't effectively filter hostile HTTP traffic without either; a) forcing traffic to HTTP so they can do packet inspection with what tools they have, or; b) making cuts elsewhere in order to afford the necessary upgrades to HTTPS filtering. Sure, it might only mean a bunch of reverse proxies and their installation, but once you've allowed for all the pork you're going to be talking some serious money there...
UNIX? They're not even circumcised! Savages!
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @08:37AM (7 children)
Yes that can be done, but it's a very specific attack, and if you are target of such an attack, chances some zero day or physical interference is going to be used too, and https won't save you either. The price to pay is no caching.
Personally this kind of problem (lots of public data, some content check required, https too expensive on the infrastructure, non mainstream users) screams IPFS or git or torrent.
Reply to This
Parent
(Score: 2, Interesting) by Anonymous Coward on Monday April 24, @09:26AM
Maybe there's a need for a variant between HTTP and HTTPS where content is signed (and thus guaranteed not to be tampered with) but not encrypted (so that caching etc. continues to work well). Let's call it HTTPV (for HTTP Verified).
Reply to This
Parent
(Score: 2) by c0lo on Monday April 24, @09:42AM
Mmmm... if I'm changing my tablet every 3-4 days and take care of it, you'll have a hard time even with physical access.
Price for a new cheap tablet for me - $35 [aliexpress.com]. Price for you to pay someone to physically access the tablet - what the daily salary for an TLA agent nowadays?
Then, of course, there's the much cheaper $5 wrench [xkcd.com] attack
Reply to This
Parent
(Score: 4, Informative) by Leebert on Monday April 24, @11:23AM (4 children)
You're overthinking the threat model here. I'll give you a "for instance": Get onto a Southwest Airlines flight, connect to (and pay for) their wifi, and marvel at them injecting JavaScript into every single HTTP request.
Reply to This
Parent
(Score: 1, Insightful) by Anonymous Coward on Monday April 24, @11:51AM (3 children)
1. Sue them for interfering with a communication channel
2. Use a VPN
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @01:29PM (1 child)
Wait, you mean people actually use those public wifi services without using VPNs?
I guess people really are that stupid...
Reply to This
Parent
(Score: 1, Insightful) by Anonymous Coward on Monday April 24, @07:51PM
No, people are ignorant not stupid. As a saavy tech user it is really easy to dismiss stuff we see as simple and easy to figure out. For most people setting up their browser to use a VPN is a very difficult and technical task. That is even if they know what a VPN is or that public wifi connections are really that dangerous!
Reply to This
Parent
(Score: 2) by Immerman on Monday April 24, @01:40PM
(1) is kind of difficult when they said they'd do as much on page 57 subparagraph 12 of the fine print you agreed to when accessing their service (I'm assuming it's in there, if not it would be added as soon as the first lawsuit was filed)
Https offers a technical solution so that they and their ilk don't have the option in the first place.
Reply to This
Parent
(Score: 2) by driverless on Monday April 24, @09:43AM (11 children)
It's not about people listening, it's about people changing it. A man in the middle can easilly change your http connection to change or omit vital bits from your patent browing.
That's the exact same argument the legal profession have been using for years to avoid putting public laws, court decisions, and other legal documents online. It makes about as much sense here as it does when the lawyers are using as an excuse it avoid giving the public access to legal/court documents.
Reply to This
Parent
(Score: 2) by isostatic on Monday April 24, @09:51AM (10 children)
Of course they should be online, but they should be signed (which https does) to avoid tampering.
Reply to This
Parent
(Score: 2) by driverless on Monday April 24, @10:22AM (8 children)
Why? What actual, real-world problem that attackers have actively exploited in the past and that needs to be dealt with is being prevented here?
Reply to This
Parent
(Score: 3, Informative) by isostatic on Monday April 24, @11:15AM (7 children)
Why? What actual, real-world problem that attackers have actively exploited in the past and that needs to be dealt with is being prevented here?
https://yro.slashdot.org/story/07/06/23/1233212/ISPs-Inserting-Ads-Into-Your-Pages [slashdot.org]
Reply to This
Parent
(Score: 2) by driverless on Monday April 24, @12:34PM (6 children)
And what does that have to do with someone subtly modifying claims in patent documents as the OP suggested? Have ISPs been caught doing that?
Reply to This
Parent
(Score: 1, Insightful) by Anonymous Coward on Monday April 24, @12:43PM
Do you really trust ad-pushers not to write code that deletes sections of pages by accident?
Reply to This
Parent
(Score: 2) by Scruffy Beard 2 on Monday April 24, @01:43PM (2 children)
Looking for a new ISP based on the TOS was awkward when I learned that my ISP was doing AD injection. Most others did not support HTTPS at the time, but my ISP did. Obviously, they understood the power of the dark side.
They could have easily made it look like all of their major competitors has egregious terms.
Then there is the unsecured AP problem. Many "Free" APs tamper with the Internet to varying degrees.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @05:57PM (1 child)
Err, what? Your ISP does not need to support HTTPS, it only needs to support faithfully transporting packets according to the internet protocol specification. Only the server and the client need to support HTTPS.
Reply to This
Parent
(Score: 2) by Pino P on Tuesday April 25, @02:39PM
Your ISP does not need to support HTTPS, it only needs to support faithfully transporting packets according to the internet protocol specification.
An ISP in a remote area whose upstream is slow and/or capped [codinghorror.com] would have an excuse to charge subscribers extra for "faithfully transporting packets according to the internet protocol specification" as opposed to running HTTP and HTTPS through the ISP's caching MITM. It'd be listed on subscribers' bills as a "Cache Miss Surcharge".
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @02:06PM
http://www.dailytech.com/Best+Buy+Sued+Over+Bogus+Web+Site/article7450.htm [dailytech.com]
Not really the same, but had they not been caught you could image them extending this to traffic flowing over their in-store wifi. Never trust a business to put the customer's interest first. Business is all about money and any action that appears to indicate otherwise has a hidden financial motivation. If any business, be it a retailer or an ISP, has a financial advantage in alerting your traffic and can get away with it you know damn well they will.
Reply to This
Parent
(Score: 2) by Pino P on Tuesday April 25, @02:34PM
And what does [inserting advertisements into pages delivered through cleartext HTTP] have to do with someone subtly modifying claims in patent documents as the OP suggested?
The technical ability to perform one implies the technical ability to perform the other.
Have ISPs been caught doing that?
Not yet.
Reply to This
Parent
(Score: 2, Interesting) by Anonymous Coward on Monday April 24, @12:34PM
Well, HTTPS authentication gives some, but not a lot, of confidence that documents have not been tampered with. The only authentication HTTPS provides is done with keys stored on the web server delivering the documents. Usually these servers are of marginal trust as
If you actually care about authenticating documents delivered by web servers, you need to use something like GPG detached signatures, which are generated and verified offline.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @12:23PM
HTTPS doesn't actually help an awful lot with this sort of privacy concern, because it does nothing to conceal traffic flow.
A passive observer of HTTPS traffic knows:
(a) Who you are talking to
(b) How much data you sent, and exactly when you sent it
(c) How much data you received, and exactly when you received it.
So because of (a) the eavesdropper knows you are talking to USPTO. With (b) and (c) the eavesdropper can likely determine exactly which USPTO documents you are veiwing with very high confidence, especially if you access more than one.
Reply to This
Parent
(Score: 3, Informative) by Soylentbob on Monday April 24, @08:32AM (10 children)
It's about data integrity and privacy. Also they are removing an already implemented feature, and since they are at least sane enough to still use https for authentication (eFile (registered) [uspto.gov] from the main-page) they need to update the certificate anyway. So, the imo valid question is: Why?
Reply to This
Parent
(Score: 3, Insightful) by fyngyrz on Monday April 24, @11:47AM (8 children)
Possible answers for various organizations making the choice to serve http include:
Reply to This
Parent
(Score: 5, Insightful) by Soylentbob on Monday April 24, @12:42PM (7 children)
Switching between https and http can result in browser warnings, disorienting the visitor, for instance if your page includes assets not served by ssl
Yes. One reason why it is better to stay with https, since the login already requires https.
https hides what you do. That may be the opposite of government intent when you access an open resource
It's a government side. They can see in their logs what people do.
https can be considered the opposite of transparency of government service
No, it can't, not by a reasonable person with a straight face. The government still gets all data they need and can publish e.g. statistics. Publishing each request and leaving the response open to manipulation is not transparency.
There's a performance penalty (varies... hardware capability, etc.) at the server to deliver https
True, but neglectible
That same performance penalty is a green issue under present non-green power supplies, particularly when looked at as a global factor
There are much more reasonable ways to achieve green-it, cutting down on security is not it.
public proxy caching does not work for SSL traffic
Who uses public proxies nowadays? Doesn't work for most ultra-dynamic websites anyway.
http content can be served without cert validation, which allows it to come from anywhere. This may be a design intent, despite the potential black-hat consequences
How could this be a design-intent?
older system compatibility for multiple virtual hosts - XP is still pretty much everywhere
Isn't XP out of maintenance already?
Reply to This
Parent
(Score: 2) by AndyTheAbsurd on Monday April 24, @02:05PM (4 children)
No, it can't, not by a reasonable person with a straight face.
There aren't that many reasonable people - especially in government.
There's a performance penalty (varies... hardware capability, etc.) at the server to deliver https
True, but neglectible
Not on any sort of large scale (especially when combined with a government non-military budget), it isn't.
Isn't XP out of maintenance already?
Yes, but that doesn't stop quite a large number of people who think "it's been always been good enough, why would I change?", or that they don't have enough money for a more modern computer, or any number of other BS excuses, from using it.
Please note my username before responding. You may have been trolled.
Reply to This
Parent
(Score: 3, Informative) by Soylentbob on Monday April 24, @02:45PM (3 children)
Not on any sort of large scale (especially when combined with a government non-military budget), it isn't.
According to this [imperialviolet.org] link, Google switching to https for gmail saw an increase of less than 1% CPU usage, less than 10kb of memory per connection and less than 2% of network load increase. The load is only significant at all on session start, so downloading any bigger artifact should skew the numbers in favour of https.
Isn't XP out of maintenance already?
Yes, but that doesn't stop quite a large number of people who think "it's been always been good enough, why would I change?", or that they don't have enough money for a more modern computer, or any number of other BS excuses, from using it.
The website was operating with https before, so old servers shouldn't be the problem here.
But if I got your post correct, you wanted to state that incompetence and botched up processes could be a driving factor for this decision, and that is something I can believe easily.
Reply to This
Parent
(Score: 1) by fyngyrz on Monday April 24, @07:17PM (2 children)
1% is not a minor power footprint impact for such installations in aggregate. That's also only with modern hardware. Not every installation meets that 1% cost.
Reply to This
Parent
(Score: 2) by Soylentbob on Monday April 24, @08:19PM (1 child)
That's also only with modern hardware.
The article was from 2010 (7 years ago), I don't think hardware from that time still counts as modern anymore. The AES instruction set [wikipedia.org] for x86 was proposed 2008, so it was very likely not available in Google Servers 2010, but should very likely be available on most servers in use today. Therefore the
less than 1%
should go down again considerably. If they are running their servers actually on > 7 year old hardware, they should consider an upgrade; if they are running a big infrastructure, the savings in electricity will soon outweigh the investment in new CPUs
Reply to This
Parent
(Score: 1) by fyngyrz on Monday April 24, @11:02PM
Okay, but modern... how modern do we have to be? More to the point, how modern are we?
I have an 8GB/8-core (dual 4-core XEON) from 2008. It's a pretty good workhorse, and there's no particular reason to retire it because of that. It's not my daily driver anymore (that's a 64GB/12...24-core from 2009, not too far down the hardware road from the 8-core, actually), but the 8-core does host a bunch of websites.
Personally speaking, I'm really not with the program when it comes to throwing out hardware that works well, particularly if the suggested justification is to get more efficient at something I don't really see a whole lot of need to do in the first place. Nor do I see any reason to run the machine harder just so no one can possibly see that the web page visitors are looking at a timeline from 1800, or that they are interested in my SDR software, my text markup language, etc.
Passwords and the like, sure. Medical, email and financial data too. For those who deal with them. Perhaps porn, if one shames easily.
The rest? Frankly, it strikes me as leaning well towards the paranoid.
By far, I see the main problem for us in terms of (KnowingStuff == PowerOverUs == DangerToUs) as coming directly from the government, and as the voters are't willing to rein them in worth a frog's fart, well, I can only draw the conclusion they're not very serious about any of this anyway. Amazon knows what I surf for? I just can't bring myself to really care. They're no threat to me.
Perhaps someone will convince me someday. That'd be interesting.
Reply to This
Parent
(Score: 1, Informative) by Anonymous Coward on Monday April 24, @03:38PM
Isn't XP out of maintenance already?
Software that is not inextricably bound to the cloud does not burst into flames the minute the software company says so, even though Microsoft very much laments this (and is arguably trying to correct it by preventing people from actually controlling their software).
Reply to This
Parent
(Score: 3, Interesting) by Pino P on Tuesday April 25, @02:47PM
Yes. One reason why it is better to stay with https, since the login already requires https.
Say a site relies on a third-party resources available only through cleartext HTTP. Running the whole site on HTTPS would trigger mixed content blocking when the site attempts to retrieve a third-party resource. I can't think of any such third-party resources presently in use on USPTO.gov, but until a few days ago, CanIUse.com's API was available only through cleartext HTTP [github.com]. And for a long time, ad servers were HTTP-only as well.
Who uses public proxies nowadays?
Mostly people in remote areas, where the ISP operates a caching proxy because its own upstream is slow and/or capped.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @06:07PM
So they use HTTPS for the login credentials … but what about the accesses while logged in? Every access will need to transmit a token that authenticates that you are the user who logged in. If that is transmitted unencrypted, it's almost as bad as transmitting the original login credentials unencrypted.
Reply to This
Parent
(Score: 3, Touché) by theluggage on Monday April 24, @09:55AM (4 children)
Free public nonsensitive unclassified information must be transmitted using unbreakable military grade encryption
...undermined by a laughably weak certificate system designed to meet an impossible brief (let Alice securely communicate with Bob without making any conscious effort to verify Bob's identity) run by lowest-bidder certificate authorities. Never forget that bit - because strong encryption alone won't prevent MITM attacks or bogus sites which are the main reasons people argue for universal HTTPS.
Oh, and pro tip: if you visit a site ending in ".gov" - HTTPS or not - then the Government knows what you've done.
Reply to This
Parent
(Score: 2) by Soylentbob on Monday April 24, @11:22AM (3 children)
True, https has its weaknesses. E.g. the puny-codes [securityintelligence.com], which can enable phishing attacks. And yes, when talking to Bob, Bob knows about the content of the communication, even if we communicate encrypted. Not very surprising.
But if I talk to bob, there is no reason to make the communication entirely public.
And not everyone concerned about privacy is concerned about the Government in the first place. Some just don't want the provide to harvest all the data [washingtonpost.com] and sell it to the highest bidder.
Reply to This
Parent
(Score: 2, Disagree) by theluggage on Monday April 24, @02:54PM (2 children)
And yes, when talking to Bob, Bob knows about the content of the communication, even if we communicate encrypted. Not very surprising.
Explain that (using short words) to people trying to implement Digital Rights Management :-)
But if I talk to bob, there is no reason to make the communication entirely public.
True - if you're having a conversation or sending your data to a site. Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc. That's if you didn't get there by Google in the first place... Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you. If you're paranoid about being eavesdropped even when reading publicly available information then you really need to use something like Tor.
What probably happened here is that someone in a big.gov.org made the mistake of asking about the procurement process for a new SSL certificate and decided that the internet would be obsolete before it came through (any bureaucrat worth their C-56/b annex ii could give you six reasons why you couldn't use LetsEncrypt - and anything that's going to need a $50 renewal in 2 year's time after the current project code has been terminated is guaranteed to fail).
Reply to This
Parent
(Score: 2) by Soylentbob on Monday April 24, @03:07PM
Where HTTPS evangelism gets a bit ridiculous is when it is applied to sites serving public, mostly static information. HTTPS can't hide which server you're accessing and, given that and a knowledge of what is on each page of the site, it isn't rocket science to predict which pages you actually viewed from download size etc.
But is will be more difficult with https for AT&T [webpolicy.org], Comcast [theregister.co.uk] and others to inject their JavasCrapt. Also it will be more difficult for my provider to sell my browser-history, or for my purely hypothetical over-ambitious colleague to guesstimate on what project I'm working by seeing which patents I look up.
Also, to re-iterate my original point, the weakest link of HTTPS is the use of certificates to verify the site's identity, which is critical to stop your ISP or employer MITMing you.
I could go to some lengths and remove insecure root-authorities, but even without that effort my provider would be hard-pressed to get fake-certificates for all websites I visit.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @05:55PM
Incorrect, the information may be public but who is looking at it and reviewing any given documents should NOT be public knowledge. If I'm working on some new wireless tech patent I don't want some big company to be able to record the various patents I'm looking into to then undermine my efforts. I think that is the real reason behind this switchover.
Reply to This
Parent
(Score: 2) by c0lo on Monday April 24, @01:04PM
Next time, when your tiny brain can't make sense of it, you only need to ask.
You see, when all connections are encrypted, there's little to jump in the eye of NSA when somebody really need private communication, 'cause everybody uses encryption by default.
If all the traffic is plain, any encrypted communication becomes immediately visible and suspect, even when legit.
I'm sorry if your job becomes harder now, but cheer up... you have grounds to ask for a raise if that's the case.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @05:28PM
With HTTP they can now track an individuals patent research, then some clever team can figure out what they are likely working on and scramble their team of lawyers to get a patent in first.
It is like corporate espionage, but given the blessing of government now that corporations can sell user traffic data.
Reply to This
Parent
(Score: -1, Flamebait) by Anonymous Coward on Monday April 24, @08:02AM (4 children)
Who's watching me?
I don't know anymore
Are the neighbors watching?
Who's watching?
Well, it's the mailman watching me
(Tell me who's watching me)
And I don't feel safe anymore
Oh, what a mess I wonder who's watching me now
(Who?) the IRS?
http://www.azlyrics.com/lyrics/rockwell/somebodyswatchingme.html [azlyrics.com]
OH GOD OH GOD NO
AZLyrics.com doesn't do HTTPS
I HAVE TO PANIC NOW
Reply to This
(Score: -1, Flamebait) by Anonymous Coward on Monday April 24, @08:07AM (3 children)
https://mp3-128.cdn107.com/music/09/47/41/0947411381.mp3 [cdn107.com]
OH GOOD
CDN107.com does HTTPS
BECAUSE IT MATTERS SO MUCH when my 1980s era broadcast radio tunes are SO ENCRYPTED BRO
Reply to This
Parent
(Score: -1, Spam) by Anonymous Coward on Monday April 24, @08:09AM (2 children)
Where's that cumfaced troll Eth to call me a cunt???
Reply to This
Parent
(Score: 2) by Gaaark on Monday April 24, @10:10AM (1 child)
He's with your mom?
--- [redacted] due to [redacted] by Agent [redacted]. Dated [redacted] ---
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @11:53AM
No. That was me.
Reply to This
Parent
(Score: 3, Insightful) by kaszz on Monday April 24, @09:32AM (2 children)
Because we want to execute industrial espionage.
Questions? :P
Reply to This
(Score: 0) by Anonymous Coward on Monday April 24, @10:43AM (1 child)
+1
Not using encryption saves the USPO the bandwidth to forward logs to the TLAs that can just snoop all the traffic at all the usual tapping points which is greener!
Reply to This
Parent
(Score: 2) by kaszz on Wednesday April 26, @01:23AM
Then there's TOR :->
Reply to This
Parent
(Score: 3, Interesting) by Leebert on Monday April 24, @11:18AM (1 child)
They'll get a smackdown from DHS. The Office of Management and Budget in this 2015 memo [archives.gov] issued requirements that "all publicly accessible Federal websites and web services" implement HTTPS only with HSTS.
Unless the new administration rescinds that memo, that is. But there's no signs that will happen.
Reply to This
(Score: 2) by DannyB on Monday April 24, @01:41PM
Maybe the DHS will get a smackdown executive order saying that all government websites should be insecure to the maximum extent reasonably possible.
Reply to This
Parent
(Score: 4, Interesting) by VLM on Monday April 24, @12:06PM
Isn't this questionable news such that the maintenance on publicPAIR is named "Systems Maintenance 1" on apr 20 and its not been mentioned that "Systems Maintenance 2" is scheduled on may 7?
My first guess was we're looking at the https proxy dance where they're either ripping out a https proxy in front of a native http only server and reconfiguring to a native http and https server, or the exact opposite where for whatever front end mumbo jumbo they're ripping out a native http and https server and converting to pure http with a https proxy frontend.
Say you got a load balanced cluster of virtual http-only hosts. Then there's a demand to implement https access. OK fine provision a whopping one single https host that does nothing but proxy incoming https into http. Then over time the https traffic increases and you provision more and more servers. But this architecture is a modest PITA for a variety of reasons, so eventually you want to implement dual protocol http and https on the same front ends, or maybe run the web app on the https servers primarily and have http proxied in. Well depending how cheapskate your cloud is, (and some are really cheapskate) you might need resources you don't have to set up the new architecture so you scrap and salvage the legacy https proxies, use the former https proxy load balanced cluster to provision the new architecture, and roll the whole new thing out. I've done stuff like that, well, there are differing details but more or less yeah.
Another classic is the cloudy forklift upgrade. Back in the bad old days you'd swap a physical rack of stuff one night and hope for the best (been there done that) but in cloudy land you provision new servers. But a lot of cloudy contracts and budgets are strangled technologically by very detailed quotas such that whats technically easy and wise would involve 50 people in the billing department pulling their hair out and its organizationally less suffering to yank the https cluster, reprovision your quota as half size/failed architecture 2.0, deploy 2.0 next week, if it doesn't blow up then pull architecture 1.0 and reprovision those quota as the other half of load balanced arch 2.0, depending how busy 2.0 is, you might have to do that quickly or take your time...
Either way, for a week or so, sure no https because what was doing https is turning into some other piece of infrastructure.
Not the worst of ideas... if you're changing two things, do two maint notifications. If they tried too much complicated stuff at one time and blew it up we'd be making fun of them for overscheduling.
The next obvious question is you're changing two things why not adjacent nights? Well look at all the paperwork BS and unless it involves launching nuclear missiles the .gov doesn't really operate that well so the contractors are going to bill one job on the monthly budget in April and the other job on the monthly budget in May. And there's a gap in case of delays and such. Maybe even separate contractors are involved for each maint which would be hilarious.
Reply to This
(Score: 2, Insightful) by Anonymous Coward on Monday April 24, @01:33PM
Can anyone explain why there would be this seemingly backwards move to insecure communications?
Government can't work. Therefore, we elect politicians who believe very deeply that government can't work. When they get in power, they prevent government from working. The end result is that government can't work. Q.E.D.
Reply to This
(Score: 0) by Anonymous Coward on Monday April 24, @02:08PM (2 children)
...violently imposed monopoly? This. I expected this.
Reply to This
(Score: 0) by Anonymous Coward on Monday April 24, @04:42PM (1 child)
Honestly, I'm starting to find this guy amusing. Isn't it comforting that some trolls never change?
Reply to This
Parent
(Score: 0) by Anonymous Coward on Monday April 24, @05:58PM
Well he isn't wrong per se, its just that there is no simple way around preventing groups of humans from colluding to screw over others. That requires constant vigilance and proper legislation.
The "series of contracts" is basically what we currently have, the troll is just naive enough to think that separate business entities could magically solve societies problems through "natural selection". Darwin would be so fucking depressed to see how his work has been co-opted for bad social policy agendas.
Reply to This
Parent
(Score: 2) by epitaxial on Monday April 24, @02:44PM (1 child)
I don't have a lot of trust in HTTPS these days. I'm pretty sure the government has all the master keys anyhow so they can sign any cert they want and be the man in the middle.
Reply to This
(Score: 0) by Anonymous Coward on Monday April 24, @06:01PM
This is about a government site. Of course the government has the certificates of that site.
Reply to This
Parent
(Score: 2) by theluggage on Monday April 24, @03:07PM (2 children)
Can anyone explain why there would be this seemingly backwards move to insecure communications?
Your department head just got a Strongly Worded Memo when it came to light that you'd been using a free SSL certificate from an Israeli company who aren't on the approved suppliers list, It costs $50 to get a commercial certificate and there's no budget line for that in the current project code, the person in IT who needed to approve the LetsEncrypt certbot client for installation wrote "you must be fucking joking" on the form (and immediately went on sick leave) and even if you wade through all this shit today it will come back and haunt you in a year or two when the certificate needs renewing so, frankly, fuck it.
Never underestimate the hassle that needing a $50 certificate can cause in a big, bureaucratic institution.
Reply to This
(Score: 2) by fishybell on Monday April 24, @03:56PM
The hassle it caused in a ~200 employee business almost pushed me to drop the fight.
It took me weeks to convince upper management that a non-self-signed, non-CACert certificate would be better, if only for the end-user experience to our employees of not having to click through a bunch of browser safety checks. God I wish LetsEncrypt was up and running back then.
Reply to This
Parent
(Score: 2) by el_oscuro on Tuesday April 25, @09:00PM
About 20 years ago, I worked on a government contract. I left for a different contract, then came back about 6 months later. Almost the second I got in the building, one of the senior accounting drones was waiting for me at my desk, with a list of long distance calls I had made during my previous stint.
I was an Oracle DBA and most of those calls were to Oracle support. A few were to my home voice mail. That was back with the phone companies had those shitty "in state" long distance rates for anything more then 10 miles away.
I calculated the total cost of my "long distance" voice mail calls and it was:
$1.25
I pulled some loose change out of my pocket and paid him. I wonder how much it cost the government to collect that $1.25?
SoylentNews is Bacon! [nueskes.com]
Reply to This
Parent
(Score: 1, Insightful) by Anonymous Coward on Monday April 24, @03:58PM (3 children)
The patent database is public knowledge, http is not big deal, except for enabling ISP's to mess with your web pages.
Who's looking at which patents is not supposed to be public. Https is needed for this.
Reply to This
(Score: 1, Insightful) by Anonymous Coward on Monday April 24, @06:56PM (2 children)
Wouldn't it be cheaper to pass laws that ISP's cannot mess with and sell the traffic so that everybody and their dog don't have to buy and manage friggen certificates for "read only" websites?
Reply to This
Parent
(Score: 2) by Justin Case on Tuesday April 25, @01:57PM
No.
Laws don't solve technical problems. Only politicians and idiots (but I repeat myself) believe that.
If self driving cars don't crash, it will be the first software ever that doesn't.
Reply to This
Parent
(Score: 2) by urza9814 on Tuesday April 25, @02:43PM
The ISPs are buying a lot of senators to ensure that they're allowed to spy on that traffic. If the USPTO is having trouble finding a hundred bucks for a cert, you really think they can afford to buy back half of Congress?
Reply to This
Parent