In patent search, there is no "search" box. Instead, the "quick search" forces you to specify two (and exactly two) text queries on the database columns with obligatory boolean operation.[1] Even if you happen to find an interesting patent, good luck linking to it (which should be the number one service they provide - GET individual patent documents). The page showing the patent document has a dozen cryptic query parameters in the URL, some of which relate to the search query you used to find the patent! No "make shareable link" button to be seen, either.
And don't get me started on the trademark search, or Trademark Electronic Search System (TESS), as they like to call it.[2] When you navigate to the front page, you get a private session identifier - in your URL of course! And when you search for a trademark ("simple search" is intuitively known as "New User" here) and select a TM to view, you would be excused of thinking that the short URL in your browser address bar is the linkable URL of this entry. But no - it's just your session identifier along with the document's index in the results of your last search query.
When you leave the trademark site or just click "Logout" (since you're a kind person - they after all ask you "logout when you are done to release system resources allocated for you"), that URL is gone in the wind. If you shared a link to that trademark to your friend, they only get this very helpful page:
<H1>This search session has expired. Please start a search session again by clicking on the TRADEMARK icon, if you wish to continue</H1>
https://en.wikipedia.org/wiki/Session_(computer_science)#Ser...
This existed since the Perl CGI times. "Bizarre practice", wow.
It could have been redeveloped in anything, but kept the original url scheme for backwards compatibility.
Question: if it's really this bad, this site is going to have incredibly poor ratelimiting or per-IP analytics/access controls, if it has these things at all.
So, it probably wouldn't be too impossible for someone to build a new site (maybe even an API) that talks to this and prettifies the results, lets you copy URLs (most likely via caching¹), and so forth. (The case in point about my previous paragraph is that the new site would generally hitting the old one, possibly several times a second, from one IP.)
You'd just need a strong mind to handle the inanities of talking to this system. :P
¹ But with the caching thing, you'd absolutely have to have a disclaimer stating that the services don't replace the USPTO website, yada yada (along with some wording buried in a policy document that carefully points out that the data is cached). I mean you'd need that anyway, but yeah.
Jesus christ.
Probably the only thing keeping this from being abused is that it's the government, it's a low-value target, and they're paying millions upon millions for someone to support this trainwreck with security patches.
The amount of computing power it takes to encrypt with SSL is minimal, especially if you use some of the newer systems like ECDSA and should not be of concern to a company like the Patent Office.
I don't want to speculate about what's going on at the managerial/administrative level, but I notice the current administration is committed to the goal of slashing most government spending by some huge amount while simultaneously cutting taxes. It may be that the head of the USPTO got a phone call telling them not to spend a single damn penny. Now, iirc the USPTO is actually self-financing on patent application fees, but I don't think they're so independent that they can just ignore directives from higher up in the executive branch.
They'd have that data already, so could just share it directly.
No, a third-party attacker can just look at size/timing of packets to figure out which page is being viewed, especially given it's among a limited and static corpus.
It's also possible that their configuration was causing them performance problems and decreasing overhead by killing HTTPS for "unnecessary" endpoints was seen as a potential solution. Requesting a public record about a patent is not something that, at first glance, seems like it should need to be transferred over a secure protocol.
Of course, none of these are really good reasons to disable HTTPS, but they're some potential explanations.
-----
Separately, I think some people who remember HTTPS being used to secure "true secret" pages kind of resent the "HTTPS must be used anywhere and everywhere" trend that has taken hold. It's not that there aren't good reasons to do that, but it's also silly to pretend there aren't side effects of doing it.
From some perspectives, the need to encrypt all communication can be seen as an external concern for something like a VPN tunnel to handle. End-to-end crypto is good because it, theoretically, precludes reception from anyone who can get in the middle of the server and the VPN, but it needs to be more transparent before everyone is willing to consider that a worthwhile/important tradeoff.
One side effect of HTTPS everywhere is that the site can no longer really designate some portion of traffic as "secret". If every admin in your org needs to be able to decrypt all HTTPS traffic to debug issues, you're giving some access away. Maybe some of them would've been able to get to that data anyway, but probably many of them would not.
Again, this is not to say that that HTTPS shouldn't be used, but just some musings into why someone would not necessarily be enthusiastic about it. Working to integrate HTTPS more transparently to admins and working toward the ability to mark specific information for extra "app-layer secrecy" instead of just relying on transport-layer secrecy seem like they'd be good steps.
I know you were only trying to coming up with some kind of reason but, there just isn't a valid one.
Or that the browser vendors that trust the CA the signed the certificate aren't just puppets for our lizard overlords.
And it's legal to publish a .GOV site using Drupal?
The US Federal Government is essentially the arbiter of all regulations and minimum standards within the United States. It's just surprising to see an opensource framework running on Apache/Coyote expected to run over HTTP.
It indicates what department of the USPTO manages that page of the website. All pages have a "page-owner" tag in the footer.
https://securityheaders.io/?q=www.uspto.gov&followRedirects=...
HSTS is 1 year at the time this comment is posted. They're in for some pain.
They are basically going to be DOSing a huge segment of users who've previously had that header set on their browsers...they're also violating the OMB mandate that requires TLS for all government sites...it is a rather strange move, I can't imagine there is a good reason for it.
EDIT If it is for portal.uspto.gov then HSTS is a non-issue but still a very bad move.
Is it? I still see HSTS from portal.uspto.gov with the same age.
doesn't seem to show anything for the domain
I've been involved in writing a few and the result was useless drivel. Combined with the fact that there are penalties for willful infringement, I'm not sure what the benefit to reading patents in your field would be.
So it seems that the maintenance will turn of HTTPS, not that it's unavailable during the maintenance.
> Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
> Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP,
Edit: the PDF attachment URL's are very predictable, they're the number of the patent in a weird order + a page number, e.g.: http://pdfpiw.uspto.gov/10/292/096/2.pdf
Back of the envelope calculations say all PDF's should only take 1 - 6 TB's (assuming 100kb to 600kb in PDF's on average). Seriously, why hasn't anyone mirrored this?
[0] https://www.uspto.gov/learning-and-resources/bulk-data-produ... [1] http://patents.reedtech.com/Public-PAIR.php
Copyright generally doesn't stop people from copying what they want to copy. Do only BigCo's have a use for patents?
Horse carraiges: 1400 Automobiles: 1890
Don't do this.
Has this been superseded by a new policy?
>Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as ...
A URL beginning with HTTPS ALSO begins with HTTP
HTTP/1.0 302 Found
Location: http://portal.uspto.gov/pair/PublicPair
Server: BigIP
This however seems to be everything:
https://pairbulkdata.uspto.gov/
Looks like people tend to be satisfied with Google Patent as well.
https://obamawhitehouse.archives.gov/blog/2015/06/08/https-e...
Does anyone have any experience with their support system? On Monday I will be calling them in an attempt to understand why they are exempt from the HTTPS Everywhere federal directive.
But to answer your other question, as part of the Department of Commerce, a "CFO Act" agency, USPTO would not be exempt.
* except uspto.gov
Are there any other .gov sites doing this? Can anyone shed more light on this?
*https://thestack.com/security/2017/04/12/netflix-found-to-le...
I wonder if 18f can help at all, it seems agencies must contact 18f themselves.
1: https://www.digitalgov.gov/2017/04/12/dotgov-domain-registra...
Fortunately, there are quite a few workarounds and opportunities that minimize all the associated risks ...