It’s been many years since I first tried to nudge the USPTO in the direction of providing up-to-date web security for its customers. Up-to-date web security includes at least three measures:
- HTTPS connections for all e-commerce web sites
- PFS (perfect forward secrecy) for all HTTPS web sites
- DNSSEC (Domain Name System security) for all domain names
I’m not the only one trying to nudge the USPTO in the right direction. No less an authority than the White House has also tried to nudge the USPTO in this direction, by means of presidential executive order:
- In 2008, the White House directed all US government agencies (including the USPTO) to implement DNSSEC on all of their domain names (memorandum M-08-233).
- In 2015, the White House directed all US government agencies (including the USPTO) to implement HTTPS on all of their web sites (memorandum M-15-13).
A White House CIO web page explains to US government agencies how to implement HTTPS on their web sites. The web page says:
Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government.
In August of 2014 I urged the USPTO to implement HTTPS on its servers (“USPTO needs to implement SSL and PFS on all servers“). I pointed out that TESS, TEAS, EPAS, ETAS, AOTW, PATFT, and TSDR all lacked HTTPS and PFS. I pointed out that EPO and WIPO have PFS on their servers that have HTTPS.
What progress has USPTO made since August of 2014 when I nudged the USPTO? What progress has USPTO made since June of 2015 when the President nudged the USPTO?
Here is the current status of some of the web servers at USPTO, the US Copyright Office, OHIM, EPO, and WIPO. In this table, “yes” is good and “no” is bad.)
| https | PFS | DNSSEC | |
| Private PAIR | yes | no | yes |
| Public PAIR | no | no | yes |
| EFS-Web | yes | no | yes |
| TESS | no | no | yes |
| TSDR | yes | yes | no |
| TEAS | no | no | yes |
| EPAS | yes | no | yes |
| ETAS | yes | no | yes |
| AOTW | no | no | yes |
| PATFT | no | no | yes |
| ESTTA | no | no | yes |
| TTABVUE | no | no | yes |
| USPTO main web site | no | no | yes |
| eCO | yes | yes | yes |
| US Copyright Office main web site | no | no | yes |
| Hague Express | no | no | no |
| ROMARIN | no | no | no |
| Patentscope | yes | yes | no |
| ePCT | yes | yes | no |
| WIPO main web site | no | no | no |
| European Patent Register | yes | yes | no |
| Espacenet | yes | yes | no |
| EPO main web site | yes | yes | no |
| Designview | yes | no | no |
| Tmview | yes | no | no |
| OHIM main web site | yes | no | no |
Here are a few detailed observations.
DNSSEC. Nearly all of the USPTO domain names are protected by DNSSEC. Oddly, USPTO’s one failure in this area is the domain name “tsdr.uspto.gov”. USPTO needs to get this fixed. EPO, WIPO, and OHIM have all failed to implement DNSSEC for their domain names.
HTTPS. USPTO is in substantial non-compliance with the President’s order (and has not taken very much action in response to my nudging). Most of the web servers that I flagged in 2014 for failing to provide HTTPS (TESS, TEAS, AOTW, and PATFT) still fail to provide HTTPS now in 2016. To USPTO’s credit, USPTO has managed to implement HTTPS in three servers (EPAS, ETAS and TSDR) that did not have it before. But many other servers, including Public PAIR, ESTTA and TTABVUE, still fail to provide HTTPS.
PFS. Perfect Forward Secrecy is an easy-to-implement and essentially cost-free software update which USPTO has failed to provide on any of its web servers, the sole exception being TSDR.
US Copyright Office. The US Copyright Office provides all three protections on its copyright registration e-filing system eCO. But it fails to provide HTTPS or PFS on its main web site.
OHIM. The European trademark office provides HTTPS on most of its web servers, but fails to provide PFS. As mentioned above, it fails to provide DNSSEC protection.
EPO. The European Patent Office provides HTTPS and PFS on most of its web servers, which is very good. As mentioned above, it fails to provide DNSSEC protection.
WIPO. The World Intellectual Property Organization provides HTTPS and PFS on Patentscope and ePCT. It fails to provide either protection on its design and trademark database servers. As mentioned above, it fails to provide DNSSEC protection.
One Reply to “USPTO continues to fail to provide up-to-date web security”