
“Users will only be able to view patents via HTTP. HTTPS will no longer work” - tsukaisute
https://www.uspto.gov/blog/ebiz/
======
vesinisa
The USPTO databases have to be one of the most torturous services to their
users in the whole of internet. The UI of both the patent and trademark search
is archaic, but not in a HN way but in a _really_ bad way.

In patent search, there is no "search" box. Instead, the "quick search" forces
you to specify two (and exactly two) text queries on the database columns with
_obligatory_ boolean operation.[1] Even if you happen to find an interesting
patent, good luck linking to it (which should be the _number one_ service they
provide - GET individual patent documents). The page showing the patent
document has a dozen cryptic query parameters in the URL, some of which relate
to the _search query_ you used to find the patent! No "make shareable link"
button to be seen, either.

And don't get me started on the trademark search, or Trademark Electronic
Search System (TESS), as they like to call it.[2] When you navigate to the
front page, you get a private session identifier - in your URL of course! And
when you search for a trademark ("simple search" is intuitively known as "New
User" here) and select a TM to view, you would be excused of thinking that the
short URL in your browser address bar is the linkable URL of this entry. But
no - it's just your session identifier along with the document's index in the
results of your last search query.

When you leave the trademark site or just click "Logout" (since you're a kind
person - they after all ask you "logout when you are done to release system
resources allocated for you"), that URL is gone in the wind. If you shared a
link to that trademark to your friend, they only get this very helpful page:

    
    
      <H1>This search session has expired.  Please start a search session again by clicking on the TRADEMARK icon, if you wish to continue</H1>
    

So no way to link to individual TM registrations here either.

1: [http://patft.uspto.gov/netahtml/PTO/search-
bool.html](http://patft.uspto.gov/netahtml/PTO/search-bool.html)

2: [http://tmsearch.uspto.gov/](http://tmsearch.uspto.gov/)

~~~
Twirrim
FWIW, you're often better off not searching, or looking at, patents. If you
end up in a patent case, your liabilities will be much higher if they can
sufficiently claim you knowingly infringed. Evidence that you searched for
patents can weigh against you / your employer. _Even_ if you weren't
associated with the infringing product itself.

~~~
nullc
This is largely outmoded advice in the wake of in re seagate. Simply having
looked at a patent is not enough to create willful infringement.

~~~
nullc
I've just been informed that in re seagate got over turned last year. Bad
news.

~~~
monochromatic
Did it? Got a link?

~~~
WCityMike
Just Google "In Re Seagate Overturned".

------
popey456963
Why on Earth could they possibly feel it necessary to do this? The United
States Patent Office doesn't have a complex system of sub-domains or even an
EV license, if money were the object then they could just go with Let's
Encrypt (not to mention the current license continues until 2018 anyway).

The amount of computing power it takes to encrypt with SSL is minimal,
especially if you use some of the newer systems like ECDSA and should not be
of concern to a company like the Patent Office.

~~~
jbob2000
Well if you put on your tinfoil hat - maybe someone wants to track who's
viewing which patents, which they can't do when it's encrypted. You're right,
it doesn't make any sense to do this, so there must be an ulterior motive.

~~~
stonesam92
If that were the case and USPTO were in on the trick, why the need to drop
HTTPS?

They'd have that data already, so could just share it directly.

~~~
mcbits
This will allow ISPs to track who is viewing particular patents and when. That
would be very lucrative data to sell in some circumstances. I doubt the USPTO
would distribute a list of IP addresses that accessed a patent without some
kind of due process.

~~~
sgt101
I think this might be gutted out already though as big companies use
proprietary databases which have enhanced data on the patents. Also google
patents...

~~~
mcbits
Yeah, I don't think it's actually their reason for the change. It's just one
hypothetical consequence that the decision makers probably failed to consider.
Still, the decision makers should be investigated for conflicts of interest
because they've made a really fishy-smelling decision.

------
snvzz
Fun fact: HSTS

[https://securityheaders.io/?q=www.uspto.gov&followRedirects=...](https://securityheaders.io/?q=www.uspto.gov&followRedirects=on)

HSTS is 1 year at the time this comment is posted. They're in for some pain.

~~~
andygambles
Removal of HTTPS is on [http://portal.uspto.gov/](http://portal.uspto.gov/)

------
chrisatumd
[https://obamawhitehouse.archives.gov/blog/2015/06/08/https-e...](https://obamawhitehouse.archives.gov/blog/2015/06/08/https-
everywhere-government)

Has this been superseded by a new policy?

~~~
0xcde4c3db
An excellent question. I tried looking up the current policies, but the "IT
Policy Library" [1] is provided in an iframe that doesn't load for me ("The
connection to the server was reset while the page was loading.").

[1] [https://cio.gov/resources/it-policy-
library/](https://cio.gov/resources/it-policy-library/)

~~~
konklone
The policy is still in effect, and its supporting home page is here:
[https://https.cio.gov](https://https.cio.gov)

------
jaclaz
To be picky:

>Immediately after the maintenance, users will only be able to access Public
PAIR through URLs beginning with HTTP, such as
[http://portal.uspto.gov/pair/PublicPair](http://portal.uspto.gov/pair/PublicPair).
Past URLs using HTTPS to access Public Pair, such as ...

A URL beginning with HTTPS _ALSO_ begins with HTTP

~~~
Qwertious
To be pickier, they never said that all URLs beginning with 'HTTP' would be
enabled, merely that URLs beginning with something _other_ than HTTP would be
_disabled_ , and also that URLs beginning with 'HTTPS' would be disabled. They
never stated that HTTPS was part of the "doesn't begin with HTTP" group.

------
lol768
They have a valid cert in use that only expires in 2019, and it's SHA256. But
when you visit over HTTPS, this happens:

    
    
      HTTP/1.0 302 Found
      Location: http://portal.uspto.gov/pair/PublicPair
      Server: BigIP
    

Why would they want to do this? Seems incredibly dumb to me, huge step
backwards.

~~~
zokier
Does TLS termination cost extra for BigIP? Maybe their license expired or
something?

~~~
doubleplusgood
TLS offload is usually extra on F5 BigIP

~~~
Karunamon
Does F5 do any special secret sauce that can't be replicated with an equally
powerful set of hardware and a good HAProxy config? I know one of our network
admins is continually complaining about how shitty their UI is...

~~~
xorcist
F5 has some secret sauce to it but it's mostly performance related. They have
a good chunk of hardware offloading, all the way up to the TLS layer.

I seem to remember even the entry license includes full TLS offloading so I
doubt the poster above is correct that it is a cost issue.

As to if HAProxy can do the job, well, that depends. F5s are complex beasts
and they can load balance application specific protocols that can be hard to
find elsewhere, with the support contract that goes with it.

~~~
mdekkers
crypto offloading isn't hard, and can be done on the NIC if you want/need:
[https://www.nextplatform.com/2016/10/03/server-encryption-
fp...](https://www.nextplatform.com/2016/10/03/server-encryption-fpga-offload-
boost/)

~~~
otterley
Can you show us how to configure that on a typical box?

~~~
mdekkers
Of course, but that is chargeable work.

------
makecheck
This would be interesting for patent research; you could legitimately say "I
looked for a patent that already covers X but since you cannot guarantee the
data was not modified in transit, I cannot be certain that I saw what was
actually in the patents I reviewed".

~~~
xtreme
Even if the courts allowed this to be a valid defense, it could only protect
you from willful infringement. Not having knowledge of an existing patent does
not stop the other party from claiming damages. If they can prove you knew
that your work infringes the patent, they can sue you for treble damages from
willful infringement.

~~~
anigbrowl
They might allow it, but in civil litigation liability hangs upon the balance
of probabilities rather than being beyond a reasonable doubt as in criminal
trials. So a court might well allow it but that doesn't mean a jury would find
it persuasive.

------
cryptarch
Anyone looking at creating an IPFS or BitTorrent mirror yet?

Edit: the PDF attachment URL's are very predictable, they're the number of the
patent in a weird order + a page number, e.g.:
[http://pdfpiw.uspto.gov/10/292/096/2.pdf](http://pdfpiw.uspto.gov/10/292/096/2.pdf)

Back of the envelope calculations say all PDF's should only take 1 - 6 TB's
(assuming 100kb to 600kb in PDF's on average). Seriously, why hasn't anyone
mirrored this?

~~~
umhau
Legal issues from mirroring something that's sort-of government property? I
have no idea if it is or not, but I'd guess it's some sort of grey area.

~~~
cryptarch
As in, fear of extra-legal persecution or fear of legal prosecution?

Copyright generally doesn't stop people from copying what they want to copy.
Do only BigCo's have a use for patents?

------
gelstudios
This is surprising given that the .gov registrar is requiring HTTPS + HSTS for
all new agency websites [1], but they specifically exclude existing domains or
_renewals_.

I wonder if 18f can help at all, it seems agencies must contact 18f
themselves.

1: [https://www.digitalgov.gov/2017/04/12/dotgov-domain-
registra...](https://www.digitalgov.gov/2017/04/12/dotgov-domain-registration-
program-to-provide-https-preloading-in-may/)

------
shif
That's regressive as fuck, it's like saying that cars will no longer be
allowed, only horse carriages

~~~
paulddraper
The gap between those two technologies is larger than you suggest.

Horse carraiges: 1400 Automobiles: 1890

~~~
yjftsjthsd-h
Horses and cars were in use at the same time, just like HTTP and HTTPS; I'm
not sure why their invention times are relevant?

~~~
paulddraper
Gunpowder and ICBMs were also in use at the same time

I'm claiming the technological backstepping is not nearly as drastic as the GP
implies.

~~~
thaumasiotes
But you listed a completely irrelevant gap. The gap of relevance is the one
between automobiles and now, not the one between carriages and automobiles. If
automobiles were the transport technology of 1890 and carriages were the
technology of 1889, then devolving to carriages puts us back to 1889,
regardless of when horses were invented.

------
RangerScience
Is there any way to find out who originally made the USPTO site? A contract
company, government employees, etc?

------
Eridrus
Does anyone here actually read patent filings?

I've been involved in writing a few and the result was useless drivel.
Combined with the fact that there are penalties for willful infringement, I'm
not sure what the benefit to reading patents in your field would be.

~~~
mwfunk
The patent system has evolved in a way that has practically inverted its
original intents. You're exactly right, practitioners in a given field (ex:
engineers in the tech industry) often avoid looking at patents, because no
good can come of it. Most are too vague to be useful for licensing, but it
opens one up to willful infringement claims later on.

~~~
pbhjpbhj
Isn't failure to perform a search with due diligence an equal liability in US
patent cases?

~~~
mwfunk
IANAL, but my understanding is no. Also, software patents tend to be so vague
and generic that if you were to thoroughly search for anything that you might
conceivably be infringing on, you'll spend a preposterous amount of time doing
so, probably find not one single thing that directly applies to what you're
doing, and will probably find a few thousand that don't apply but are generic
enough that some lawyer might still haul you into court in east Texas, who can
then claim willful infringement because of your search. I probably couldn't
even write /bin/ls without stepping close to infringing on hundreds or
thousands of vague, generic IP land mines planted long ago by unscrupulous
lawyers who are just waiting with bated breath for someone to stumble across
them so they can drag people to east Texas or (more likely) shake them down
for settlement money before it goes to court.

------
3131s
Prime example of a government function that could benefit from the open source
community. If all this patent data were dumped today, in whatever format it's
stored in, I guarantee we'd be seeing a bunch of cool ShowHNs within days and
all of us would be better off for it.

~~~
tyingq
Not sure if it's everything, but the USPTO provides this
[http://patents.reedtech.com](http://patents.reedtech.com)

~~~
3131s
Does seem like I spoke too soon, though the above link is not everything. I
downloaded it and it's a CSV file with three fields -- a patent ID (I think),
a date, and some other number.

This however seems to be everything:

[https://pairbulkdata.uspto.gov/](https://pairbulkdata.uspto.gov/)

Looks like people tend to be satisfied with Google Patent as well.

------
dragon_greens
Is this a joke?

~~~
_arvin
HTTPS Everywhere*

* except uspto.gov

Are there any other .gov sites doing this? Can anyone shed more light on this?

------
tellor
Quite a tricky incident or a tendency ... One day, it will make you look at
the problem more creatively. This is an increase in the risks of MITM - when
information can be distorted or other manipulations with it are possible. But
this is good as a whole. Will help create more sophisticated and safe
technologies for viewing information in these networks.

Fortunately, there are quite a few workarounds and opportunities that minimize
all the associated risks ...

------
cjhanks
Also, at the bottom of the page "This page is owned by Service Desk." What
does that mean?

And it's legal to publish a .GOV site using Drupal?

~~~
chickenfries
Drupal is all over government sites. So is Wordpress. Do you expect them to be
using closed source CMSs or something? (I get that Drupal is insecure, but no,
it's not "illegal" to use Drupal...)

~~~
drc0
"Drupal is insecure", why?

~~~
shif
[https://www.cvedetails.com/product/2387/Drupal-
Drupal.html?v...](https://www.cvedetails.com/product/2387/Drupal-
Drupal.html?vendor_id=1367)

------
loa_in_
I bet 10$ that "errors" were reported by people who still run iexplore on
Windows XD which doesn't support modern https.

------
kakarot
As far as I know, this is illegal because of this:

[https://obamawhitehouse.archives.gov/blog/2015/06/08/https-e...](https://obamawhitehouse.archives.gov/blog/2015/06/08/https-
everywhere-government)

Does anyone have any experience with their support system? On Monday I will be
calling them in an attempt to understand why they are exempt from the HTTPS
Everywhere federal directive.

~~~
konklone
I wouldn't use the word "illegal" \- it's a directive of OMB (the White
House's management and budget office), not a law or a regulation or an
executive order. The only true enforcers are OMB themselves.

But to answer your other question, as part of the Department of Commerce, a
"CFO Act" agency, USPTO would not be exempt.

~~~
kakarot
Thank you for clearing that up. Are you aware of what kind of consequences
might be incurred at the expense of disobeying the OMB as a government entity?

------
ac1120p
claimparse.com at least shows recent patents that have issued.

------
odammit
There has been a XSS vulnerability in the USPTO site since 2008 I reported. It
still worked in 2014. Meatspinned quite a few coworkers using it.

~~~
cdcarter
> Meatspinned quite a few coworkers using it.

Don't do this.

~~~
slrz
Please provide rationale showing that the associated risks outweigh the
immense fun of "meatspinning" coworkers.

"Don't do this" is probably not very convincing.

~~~
floatingatoll
[https://it.slashdot.org/story/08/06/18/2213232/man-fired-
whe...](https://it.slashdot.org/story/08/06/18/2213232/man-fired-when-laptop-
malware-downloaded-porn)

Don't be the person that gets someone fired, arrested, jailed, and in lifetime
legal trouble because some asshole thought it would be hilarious to display
porn on their computer at work.

(Yes, I'm equating "meatspinning" to malware. Argue if you like about that,
but the main point stands: If you meatspin someone, you're taking a chance of
ruining their entire life. Don't be That Guy.)

~~~
flukus
> Don't be the person that gets someone fired, arrested, jailed, and in
> lifetime legal trouble because some asshole thought it would be hilarious to
> display porn on their computer at work.

Not to defend "meatspinning" (first time I've heard the term), but don't you
think the real problem here is that people can be fired/jailed/etc without due
process is the problem here? This was just some drive by malware, imagine what
you could do to someone's life if you intentionally targeted someone?

~~~
qb45
Also worth adding that it was kiddie pr0n that got the guy fired in parent's
story. Quite a lot of people tend to overreact to this for either CYA or moral
high horse reasons.

If he was fired for meatspin or lemonparty, he would publicly accuse them of
homophobia on twitter and things would be different ;)

------
ac1120p
claimparse.com

------
hackerhasid
The answer to just about every question posed on this thread is the same:
"it's the government!"

------
15charlimitdumb
it seems like most of the pro https arguments are asserting the right to
anonymous public patent inspection. it is fundamentally impossible for the
uspto to provide this access* (free speech traps ahead). if you don't want
data about access patterns tracked the burden is on the consumer not the
provider for public resources

*[https://thestack.com/security/2017/04/12/netflix-found-to-le...](https://thestack.com/security/2017/04/12/netflix-found-to-leak-information-on-https-protected-videos/)

~~~
bitexploder
Never mind that HTTP can easily be man in the middled and tampered with and I
have no way to ensure I am communicating to who I think I am.

------
robertpateii
> beginning at 12:01 a.m., Friday, April 21 and ending at 2 a.m., Friday,
> April 21 ET.

~~~
diggan
> Immediately after the maintenance, users will only be able to access Public
> PAIR through URLs beginning with HTTP, such as
> [http://portal.uspto.gov/pair/PublicPair](http://portal.uspto.gov/pair/PublicPair).
> Past URLs using HTTPS to access Public Pair, such as
> [https://portal.uspto.gov/pair/PublicPair](https://portal.uspto.gov/pair/PublicPair),
> will no longer work.

So it seems that the maintenance will turn of HTTPS, not that it's unavailable
during the maintenance.

