USPTO makes a little progress on web server security

Back in August of 2014 I blogged about the urgent need for USPTO to use “https://” instead of “https://” in all of its servers.  In June of 2015 I noted that USPTO had made no progress on this, so I blogged about it again.  I am delighted to be able to report that USPTO has now made a baby step.  On August 11, 2016, USPTO made an announcement about this.

Here is the text of the USPTO’s announcement:

On August 12, 2016, the informational web pages currently found at https://www.uspto.gov  will be moved to https://www.uspto.gov. The pages will now use HTTPS (Hypertext Transfer Protocol Secure), the strongest privacy and integrity protection currently available for public web connections.

Those accessing web pages formerly found at https://www.uspto.gov will automatically be redirected to the pages’ new HTTPS location. Many of our systems already use the HTTPS protocol, and we continue to work to update all our systems to HTTPS as part of a government-wide effort to ensure all federal websites use HTTPS. Using HTTPS ensures a new, strong baseline of user privacy and security across U.S. government websites and APIs.

Now if one had to select a web server at the USPTO that urgently needed the HTTPS modernization, it would not be the main informational page at www.uspto.gov.  Yes of course that server did need to be brought up to date, but many other USPTO systems more urgently needed (and still need) the modernization.  It is one thing to worry about whether a ne’er-do-well might eavesdrop on my reading of, say, the Director’s Blog, but it is another bigger thing to worry whether someone might see the search terms that I am using when I carry out searches at TESS or the Full-Text patent database.

But still, the USPTO should be lauded at least for recognizing that it was so far behind and at least starting somewhere.

There is a second, perhaps more subtle, good thing that USPTO did about this.  USPTO recognized, correctly, that lots of people would still go and try to visit https://www.uspto.gov, out of habit or by clicking on stored links and bookmarks and search engine results.  So as you can see in USPTO’s announcement quoted above, USPTO took the further step of setting up a redirect so that would-be visitors to https://www.uspto.gov will get automatically redirected to https://www.uspto.gov.  It’s the right thing to do and USPTO did it.

Let’s take a look at some of the USPTO servers whose failure to provide HTTPS got mentioned in my August 2014 blog article.

EPAS and ETAS are both now protected by HTTPS.  And they use up-to-date encryption suites.

TEAS and PATFT are not yet protected by HTTPS.  Hopefully the USPTO will move forward to protect these servers.

TSDR is “sort of” protected in the sense that if the user actively forces the URL to contain “https” then the connection will be protected by SSL.  But USPTO has not done a “redirect” so that non-SSL visitors (those using “http” rather than “https”) would be redirected to the SSL-protected page.  USPTO needs to do the redirect for TSDR that it did for www.uspto.gov and EPAS and ETAS.

Providing SSL protection is a necessary but not sufficient step toward being up-to-date about web site security.  As I explained in my previous blog posts, USPTO also needs to use up-to-date cryptographic suites for the SSL protection.  Among other things this requires providing PFS (perfect forward secrecy) and modern encryption software for the SSL protection.  It is super-easy to be up-to-date in this way, because nowadays there is well-debugged free-of-charge open-source software to do this.

But the TSDR site, although it does now provide HTTPS protection, still uses a woefully outdated cryptographic suite.

The fact is USPTO should be commended for at least making the small steps that it has made, and should be encouraged to continue its progress in this area.

Leave a Reply

Your email address will not be published. Required fields are marked *