196Views15Replies

Author Options:

Bug or phish Answered

If you go to this page:

https://www.instructables.com/pages/search/search.jsp?cx=partner-pub-1783560022203827%3Anpr2q7v5m6t&cof=FORID%3A11&ie=ISO-8859-1&q=guitar+slide+sumguysr

and click on the second result, with the URL:

https://www.google.com/url?q=https://www.instructables.com/member/sumguysr/%3Fshow%3Dcomments%26limit%3D500&sa=U&ei=DxQwUNWVCuah0QWm84DgDA&ved=0CAkQFjAB&client=internal-uds-cse&usg=AFQjCNFRIGm1lMtySmLz8cbkTJ5QjiVt7w

you get this message:

This is probably not the site that you are looking for!
You attempted to reach www.instructables.com, but instead you actually reached a server identifying itself as *.a.ssl.fastly.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of www.instructables.com.
You should not proceed, especially if you have never seen this warning before for this site.


Nothing seems to be wrong here (tried different machines, OSes, and Internet connections with same results.)

Something wrong? Or something smelly?

15 Replies

user
Kiteman (author)2012-08-18

I get the same issue when using the link you post, but when I search for guitar+slide+sumguysr, as you did, none of the links that come up give the same error.

I have no idea what you did, but at least you've shown your security software is working.

Select as Best AnswerUndo Best Answer

user
rblee (author)Kiteman2012-08-19

Thanks for that - I really put it up in case it was more of whatever Instructables suffered from a short while ago that had Google, at least, blacklisting them.

Thanks again.

Select as Best AnswerUndo Best Answer

user
kelseymh (author)rblee2012-08-19

Thanks for putting it up. You provided a clear and detailed bug report, with enough information to both reproduce the problem and figure out the underlying cause.

Select as Best AnswerUndo Best Answer

user
rblee (author)kelseymh2012-08-19

After a couple of decades of application design and development, I would be a hypocrite if I didn't give enough information for the relevant knossers to  at least know what questions to ask next, if not actually work it out.

Shame I never had much to do with the sticky end of networking :) (not really...)

Select as Best AnswerUndo Best Answer

user
kelseymh (author)rblee2012-08-19

Yep! Same reason I pay attention to good bug reports and try to assist.

The main point of the Web (this was part of Tim's original design) is that you're not supposed have to deal with the networking stuff!

If you remember the days of FTP, Gopher, Veronica, CompuServe and AOL, BBS downloads, then you remember how you had to keep track of all the individual details of different protocols, how to connect, what commands to use, and on and on and on.

Tim Berners-Lee designed his "WWW" client to have all of that knowledge built in. Users were supposed to just be able to specify the location (URL) of a file, and the software would take care of all of the details to access it. He also designed the HTTP protocol so that it could handle any kind of data, whether ASCII files or binary images or even database query results. That way the user would not have to know what they were asking for, other than the information they wanted.

Select as Best AnswerUndo Best Answer

user
rblee (author)kelseymh2012-08-19

Oh yes, I remember all that stuff.

The problem has been that Sir Tim's original conception didn't include widespread threats, bullying, and dishonesty. It gives me a satisfying feeling of schadenfreude to hear some of my contemporaries wailing about the rapidly reducing opportunities for anonymity that the web affords, not least due to their endless flame wars and terabytes of stolen copyright works.

If the web is getting over-complicated, over-monitored and over-intrusive, we would do well to ponder on how we got here.

Still, what can you say about something whose acronym contains more than twice as many syllables as it's full name :)

Select as Best AnswerUndo Best Answer

user
kelseymh (author)rblee2012-08-19

:-) Yeah. The Web was invented for particle physicists, who aren't generally as publicly rude as the average YouTube commenter :-/ (We can be vicious in private, but we don't like airing our dirty laundry).

I think if you pronounce it "dubya dubya dubya" it's not quite as bad :-)

Select as Best AnswerUndo Best Answer

user
rblee (author)kelseymh2012-08-19

World Wide Wait works for me or, in darker moments, Winky Wanky Woo, but lets not go there :)

Select as Best AnswerUndo Best Answer

user
kelseymh (author)Kiteman2012-08-19

The user may have been logged into a Google account. The Google-driven search returned an SSL (https:) URL, and included that method in the enclosed I'bles result URL.

Select as Best AnswerUndo Best Answer

user
rblee (author)kelseymh2012-08-19

Whoo...

That would seem to explain it. Not dangerous, but not clever either.

Select as Best AnswerUndo Best Answer

user
kelseymh (author)2012-08-18

Using Firefox, I get a somewhat more informative message.

I believe the underlying problem is that Instructables is actually (as most sites are!) hosted by one of the large back-end services, presumably Fastly.com. When you use the https: protocol (look at the start of the URL you cited), that tells your browser to (a) encrypt traffic to and from the site; and (b) to request an authentication certificate from the site before accepting any data.

The trouble is that Instructables has not, apparently, contracted with Fastly to register their own valid certificate. Hence, when your browser asks for a valid certificate for "instructables.com", what it gets back is a certificate for a bunch of other sites hosted by Fastly, but not for Instructables itself.

I don't know why you have an https: URL, but if you change it to a simple unencrypted http: URL, you won't get the error and you will get valid Instructables content.

I am also sending a report about this to <service (at) instructables.com>, so they can address it properly.

Select as Best AnswerUndo Best Answer

user
rblee (author)kelseymh2012-08-19

Many thanks for that clear explanation.

The thing that worried me was that the apparent url (i.e. the displayed url) was very different to the "true" url (the one that was actually invoked) which is a trick commonly used by phishers, amongst others.

To some extent Instructables is on a hiding to nothing, as their user base is probably more computer literate than most, and likely to be a target for "kids showing their chops" from time to time, and the complexity of the site is inevitably going to leave the occasional hole.

Thanks again.

Select as Best AnswerUndo Best Answer

user
kelseymh (author)rblee2012-08-19

That weird complicated URL is the way Google gives you its search results. Google embeds the actual URL as an "argument" to their own site, so they can record it in their database if you select it. The actual URL that caused your warning message was the part beginning https://www.instructables.com/....

Select as Best AnswerUndo Best Answer

user
rblee (author)kelseymh2012-08-19

Hmm. Perhaps a little too clever?

Is it true to say that the offending bit is actually the "s" of "https"?

Select as Best AnswerUndo Best Answer

user
kelseymh (author)rblee2012-08-19

Yes. The "s" stands for "secure." Sites which support the HTTPS protocol include an authentication system so that your browser can "guarantee" that the site is who you think it is, and also provide a public key (from a public/private key pair) so that the data is encrypted.

The problem here is simply that Instructables (really, their service provider) is not sending the correct authentication.

Select as Best AnswerUndo Best Answer