1620Views13Replies

Author Options:

SSL Certificate mismatch Answered

Category group and category are irrelevant.  This is a domain issue.

The SSL certificates are for a.ssl.fastly.net and ssl.fastly.net, neither of which even seem to exist other than being registered to an "Eric Gould", who owns at least 111 domains (that I saw).

This is problematic.  Can it be fixed?  Or is someone trying to MITM?

Thanks,

Sean

13 Replies

user
Kiteman (author)2011-09-01

Er...

Which website are you talking about?

Actually, change that; What are you talking about?

Select as Best AnswerUndo Best Answer

user
MeanderingCode (author)Kiteman2011-09-01

https://secure.wikimedia.org/wikipedia/en/wiki/Secure_Sockets_Layer

It encrypts the connection between your browser and the server hosting the website.  This protects you from eavesdropping, and is critical with banking and other high-impact, high-risk interactions.  I feel it is important for all locations where I am authenticating with an account I own...less so here than with email, but a security consideration, nonetheless.

If you try to go to https://instructables.com you will run into a big scary warning in your browser, and looking at the details shows that the certificate is for an entirely different domain...one that looks a little sketchy, at that.

I didn't mean to post this here, but there is no clear place to "get help" from the management of Instructables.  I did email a link to this post to the info@instructables.com address, but I couldn't figure out how else to post anything up.  Do you have any directions for me on that?  I may have just been having a blind moment.

Select as Best AnswerUndo Best Answer

user

Hello. I'm not sure where you got that link from. Please let me know if you found it somewhere or just decided to try it yourself. Because if bad links are floating around the internet, I'd like to ask whoever has them, where they found them.

The secure connection you're trying to use in incorrect. If you'd like to login though a ssl connection please use the following link:
https://ssl.instructables.com/account/login

Please also let me know if you have any other questions.

Select as Best AnswerUndo Best Answer

user

Thanks for replying. I will use that.

I didn't have a link, i just edited the URL to https:// on the page where I was presented a login form, then tried htps://instructables.com when I got the certificate mismatch error. I'm not sure why I would get an unrelated certificate instead of just a request timeout or connection refused. Perhaps it is a configuration on the web host?

Have you (if you are involved in running the site) considered allowing (at least partial) SSL for your whole domain? I'm happy to have my password transmitted encrypted, but there is also sidejacking style session stealing.

Select as Best AnswerUndo Best Answer

user

I've wished for that for a long time.

Select as Best AnswerUndo Best Answer

user

Because of the way we load the site, if we were to do this, it would require us writing out an entire second version of the site, that worked slightly different then the current one. Because of this, there's no much desire to do that. All of the pages that were deemed important and need secure processing have it, but to have two separate sites both working in tandem doesn't make much sense, and would create a lot of difficulties for us. Sorry.

Select as Best AnswerUndo Best Answer

user
kelseymh (author)StumpChunkman2012-09-06

Hi, Matt. I only just found this thread (searching for previous bug reports). I'm confused about what you've written. The invalid certification authority is a server-hostname issue not a page-by-page issue.

Your hosting service should be providing certificates for the *.instructables.com domain, not for individual hosts. If https://ssl.instructables.com/ works, then so should https://www.instructables.com/, and https://cdn.instructables.com/, etc. If your hosting service isn't doing that, then they should fix it.

Or are you worried about having hardwired full path links on pages, so that if a user started on https:, you would have to have all the pages rewritten to also use https:? If you are using relative URLs, that should happen automatically and the page generators shouldn't have to deal with it at all.

Select as Best AnswerUndo Best Answer

user
StumpChunkman (author)kelseymh2012-09-06

Hey Kelseymh,

Honestly, I'm confused about what I wrote too, but I did it right after talking to the dev team and I trust that they know what they're talking about. You should message frenzy as he'll know why more about what things work the way they do.

Select as Best AnswerUndo Best Answer

user
kelseymh (author)StumpChunkman2012-09-06

Done; thanks for the suggestion, Matt. I also suggested to Frenzy that he could e-mail me directly, since the PM interface is pretty limited.

Select as Best AnswerUndo Best Answer

user

Just found what I missed last time and moved this thread.

Don't know what hiccup happened to my or my browser before. Sorry :/

Select as Best AnswerUndo Best Answer

user
Kiteman (author)MeanderingCode2011-09-01

Oh... kay...

I think I get that - you're paranoid, and your tinfoil just got scary.

Select as Best AnswerUndo Best Answer

user
Lithium Rain (author)Kiteman2011-09-01

Um, not really.

There is apparently some weirdness going on with an ssl certificate which claims to be for Instructables (and isn't); it is possible that this is caused by someone else who is falsely trying to present themselves as the encrypted version of instructables. This means that they could (for instance) potentially steal a member's login data, cookies, and other session information.

Being security and privacy conscious is not the same thing as being paranoid.

Select as Best AnswerUndo Best Answer

user
MeanderingCode (author)Kiteman2011-09-01

Thanks for that.

Tell all that to people who use any of the various (publicly disclosed) hacked services lately, the people who's Facebook or email accounts are hijacked to spam people they know and, oh yeah, do you use different passwords on all your online accounts? Cause all it takes is someone to get your password on one to have access to all accounts sharing that password...or everything including your bank if they get your email.

Cyber crime is at an all time high...because now that we do everything, including commerce and banking online, it _pays_. Ask the Russian mob.

Select as Best AnswerUndo Best Answer