This is a story we haven’t done before: An important website downgraded its connection to users from encrypted, secure HTTPS connections to an unencrypted, insecure protocol.
Which important website? The U.S. Patent Office’s “Public Patent Application Information Retrieval” page. It’s where anyone can go to look into information about patents or patents in process. Users can search under a number of kinds of identifying numbers for different sorts of files.
On April 3, the agency’s blog posted a fairly obtuse message announcing that encrypted connections would no longer work:
Immediately after the maintenance, users will only be able to access Public PAIR through URLs beginning with HTTP, such as http://portal.uspto.gov/pair/PublicPair. Past URLs using HTTPS to access Public Pair, such as https://portal.uspto.gov/pair/PublicPair, will no longer work.
It doesn’t explain at all why the site switched away from the secure connection.
When connections between sites and visitors are not encrypted, it’s possible for a snoop to hijack someone’s internet connection and spy on what they are doing. It could be very interesting for people in the technology business, for example, to know which patents interest their competitors. It seems like securing this connection would be important.
The Observer called Monday morning to find out why security would be downgraded on the site. Subsequently, a new blog post went up, explaining that some users reported errors after the switch, which only took place on April 11. Its blog reports:
A decision was made to back-out the new HTTPS capability while the agency investigated a resolution to the issue. We expect to implement a fix and restoration of the HTTPS protocol in the next few weeks.
We followed up for more detail but were simply directed back to the Monday blog post.
“My gut says older browsers (or things that are not browsers that are designed to interact with that system) couldn’t support the crypto that USPTO was serving,” Joe Hall, chief technologist at the Center for Democracy and Technology (CDT) wrote the Observer in an email. “The more cynical side says that there are a probably a ton of automated scraping scripts that hit those pages, and the companies behind them are powerful USPTO constituents that are too lazy to hire someone to write the scripts such that they can pull down HTTPS pages.”
CDT is one of many advocacy groups that have been pushing hard to encrypt websites across the internet. The Observer has been covering one of the last major vestiges of insecure web viewing closely: adult-oriented websites. The last year has seen a sea change in that corner of the internet, culminating in the recent security upgrade at Pornhub.
Most pages on the U.S. PTO’s site encrypt user sessions.