It’s been many years since I first tried to nudge the USPTO in the direction of providing up-to-date web security for its customers. Up-to-date web security includes at least three measures:
- HTTPS connections for all e-commerce web sites
- PFS (perfect forward secrecy) for all HTTPS web sites
- DNSSEC (Domain Name System security) for all domain names
I’m not the only one trying to nudge the USPTO in the right direction. No less an authority than the White House has also tried to nudge the USPTO in this direction, by means of presidential executive order:
- In 2008, the White House directed all US government agencies (including the USPTO) to implement DNSSEC on all of their domain names (memorandum M-08-233).
- In 2015, the White House directed all US government agencies (including the USPTO) to implement HTTPS on all of their web sites (memorandum M-15-13).
A White House CIO web page explains to US government agencies how to implement HTTPS on their web sites. The web page says:
Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards. This leaves Americans vulnerable to known threats, and may reduce their confidence in their government.
In August of 2014 I urged the USPTO to implement HTTPS on its servers (“USPTO needs to implement SSL and PFS on all servers“). I pointed out that TESS, TEAS, EPAS, ETAS, AOTW, PATFT, and TSDR all lacked HTTPS and PFS. I pointed out that EPO and WIPO have PFS on their servers that have HTTPS.
What progress has USPTO made since August of 2014 when I nudged the USPTO? What progress has USPTO made since June of 2015 when the President nudged the USPTO? Continue reading “USPTO continues to fail to provide up-to-date web security”