As patent researchers, we know that the actual contents of our searches—the search terms, the records we view, and even the names of our work files—can be highly sensitive information.
But are we doing everything we can to protect this sensitive data as we do our searches over the internet?
HTTP, or Hypertext Transfer Protocol, is the basic protocol for communicating over the World Wide Web. The protocol allows websites (and the associated web servers) and web browsers to establish connections and transfer information.
HTTP is the default mode of communication on the web. This is beginning to change, and groups such as the Electronic Frontier Foundation are pushing for such change, but HTTP is still the dominant method of information transfer between websites and web browsers.
Plain HTTP presents at least two problems for security-minded researchers.
HTTP traffic is unencrypted… and much of it is cleartext
“Cleartext” is a telecommunications term that refers to text that can be read and understood by ordinary humans without additional processing. Because HTTP traffic is unencrypted, much of it is sent as cleartext.
This means that potentially sensitive information—your login credentials, your search parameters and other identifying text—is sent in a manner that could be read easily by someone who intercepts or eavesdrops upon your connection—if you send it via HTTP.
In shared networks such as those found in public wi-fi hotspots, HTTP-only connections are particularly vulnerable.
If your network is visible to those with the appropriate tools and access, ordinary HTTP communications are readable to anyone with the ability to capture and view the information. If these are people you trust, you may not have a problem, but given the sensitive nature of patent searches, do you want to merely hope for the best?
In addition, HTTP does not require authentication of the servers providing the information to the web browser. Communications sent via ordinary HTTP are more susceptible to “man-in-the-middle” attacks—interception or even modification of information by malicious agents.
What is HTTPS, and why is it better?
HTTPS, also referred to as HTTP Secure, HTTP over TLS (Transport Layer Security, the newer protocol), or HTTP over SSL (Secure Sockets Layer, the original protocol), is a way of protecting information transferred between clients and servers over the World Wide Web.
HTTPS improves the security, privacy and integrity of HTTP communications by encrypting communications between clients and servers while also requiring that servers provide authentication credentials to identify themselves.
HTTPS is thus designed to give us greater confidence that:
- the website we are talking to is the one we think we are talking to
- that others cannot easily read the communications we send to the websites we visit
- the traffic that passes between our web browsers and servers will not be tampered with by a third party
HTTPS is the protocol we expect to see used whenever we conduct financial transactions over the web. However, it is also the protocol that more and more security and privacy experts are recommending for all our communications over the web.
Extending the use of HTTPS to our activities as patent researchers serves us and our clients, and our commitment to HTTPS also shows our clients our commitment to their information privacy and security.
The catch, however, is that it is not always easy to “Go HTTPS” for every site we visit.
If you are a LexisNexis® TotalPatent® user, “going HTTPS” for your search session is, in fact, as easy as one simple click. Just check the checkbox beside the text “Use a Secure Connection (SSL) for Entire Session” when you sign in, and you will use HTTPS for your entire session. Note that your login credentials are always sent via HTTPS.
However, HTTPS is not always a given. HTTP is still the default mode for many websites, including websites as prominent for patent researchers as the USPTO’s own website—at least as of August 21, 2015; check the United States Government’s Pulse Website at https://pulse.cio.gov/https/domains/#q=uspto for the USPTO’s current status.
So think about your go-to intellectual property research sources. Do you know which ones offer you the option to search via HTTPS? Do you know which ones offer no such option at all?
These are questions worth thinking about. And HTTPS? Definitely: an option worth demanding.