Remember Peter Doshi? The researcher whose shocking (it isn’t) opinion pieces are used by anti-vaccine zealots almost on a yearly basis? The researcher who presented at an anti-vaccine conference hosted by the notoriously misnamed National Vaccine Information Center? Yeah, you remember. Well, he’s back.
This time, he is apparently outraged that there is a glitch in how certain browsers handle the web address for the Vaccine Adverse Events Reporting System:
“For over three weeks, the website of the US government Vaccination Adverse Reporting System (VAERS) has been inaccessible to most users. The website address, http://www.vaers.hhs.gov, is printed on the vaccine information statements (VISs), short documents listing the benefits and risks of vaccines that are required by law to be distributed with every vaccine dose administered in the US.1
But the website link leads anybody using the web browsers Chrome, Firefox, and some versions of Internet Explorer to a warning page. “Your connection is not private,” it says in large font on my screen (fig 1⇓). “Attackers might be trying to steal your information from http://www.vaers.hhs.gov (for example, passwords, messages, or credit cards).” The only browser that seems to consistently connect properly is Safari, used by only around a quarter of people accessing government sites.2”
See, you should be using Apple products. He continues:
“I can’t speak for others, but I suspect most people will respond to such a warning by closing their browser and moving along. The adverse event will go unreported. Few will realize that connecting to vaers.hhs.gov (that is, dropping the “www.”) takes you to the intended website.”
You don’t say? People who have had an adverse event, or their healthcare providers, will just shrug their shoulders and say, “screw it”? But then he buries the lede:
“Technically, the website is not down. It is just misconfigured such that the website address advertised to millions is not working, and hasn’t been working for at least three weeks.”
So what did Peter Doshi, PhD, do? Did he call CDC to tell them? Did he research the glitch to see why it’s happening? Did he know that there are other ways to report to VAERS beyond online? He apparently just shot off an email and then waited (probably on a gold-lined throne, as I hear they pay well at the BMJ) for a response:
“It’s not known how long this problem has been going on, but I informed the US Department of Health and Human Services, which runs the VAERS program, on 25 April. After not hearing back, I sent another email on 2 May. I then received a call from Elisa (she wouldn’t provide her last name out of a concern for confidentiality), who said the information technology staff were working on it. Presumably they’re still working on it as the problem isn’t fixed.”
Does Peter Doshi, PhD, expect CDC to get on the phone with Mozilla, Google and Microsoft to fix this? Because it’s really their problem. (As he himself wrote, the Safari browser, created and maintained by Apple, deals with the web address just fine.)
I’ve emailed Peter Doshi, PhD, to congratulate him on this new little nugget he’s given the anti-vaccine nuts. They love it when someone with a doctoral-level education sees any issue, no matter how small, with the system of immunizations in the United States and abroad. See, when someone sees things your way, and when that person is highly educated and holds a position at a prestigious journal, then your views (no matter how skewed) are valid. The horrible things in your imagination become a little more real.
Update! A reader pointed something out to us that bears repeating:
“The problem is the SSL certificate was generated for vaers.hhs.gov but he is going to http://www.vaers.hhs.gov.
Because of this mismatch, the browser is rejecting it. HHS needs a certificate that covers both vaers.hhs.gov and http://www.vaers.hhs.gov. It is indeed a misconfiguration but it’s relatively minor.
The government is making a sincere effort to make sure their web sites are more secure, but sometimes they mess up. Most users will
SSL certificates facilitate encryption of traffic between the user and web site. They also allow users to verify that they are connected to the real web site, rather than a hacker’s web site. The mismatch is causing the browser to think that the user is not going to the genuine site.”
The Poxes Blog 
The problem is with the website redirecting http://www.vaers.hhs.gov to vaers.hhs.gov, which the certificate is issued for.
So, what he discovered is that Safari browser is actually broken and vulnerable to cross site scripting attacks.
All of the browsers he complained about were functioning correctly and refusing to connect to a site with an invalid certificate.
Firefox reports it thusly:
“The owner of http://www.vaers.hhs.gov has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.”
The mystery is confounded with the small fact that is revealed under “Advanced Options”.
“www.vaers.hhs.gov uses an invalid security certificate. The certificate is only valid for vaers.hhs.gov Error code: SSL_ERROR_BAD_CERT_DOMAIN”
Oh wait, that isn’t a mystery. It’s a fouled up DNS redirect and script redirect that was bungled.