Author Options:

It's 2016, and Instructables is owned by a big company now. Why does it still not support HTTPS successfully? Answered

(I thought there was a forum for topics about the Instructables website itself, but apparently not, so I'm putting this in Square Pegs.)

Posting this publicly poses no risk to the security of the Instructables website or any user's account. Any attacker who would use this information (which is pretty much all of them) would be able to figure it out on their own more easily than finding and reading this post. It is extremely obvious to anyone who simply looks at the address bar while visiting the website. (I would be very surprised to learn that no one has taken advantage of it already, if that can even be proven.)

Instructables appears to be severely behind the times when it comes to keeping its users' accounts safe from hacking, and their communications secure from eavesdropping and tampering.

Just about everyone who runs a website or is very active online these days knows the importance of having a secure HTTPS connection between your computer and the website's server. (For anyone who hasn't been paying attention for the past ten years or so, here's a Wikipedia article about it.) Like any security-conscious Web user, I'm reluctant to log into any website that doesn't use HTTPS, especially when I'm on an Internet connection that's not my own. (Just look up Firesheep to see why.)

In the early years of the Web, HTTPS didn't exist, and every webpage was loaded and every form was submitted insecurely.

Then HTTPS was developed. For years, many websites used HTTPS just for their login pages, and used HTTP (i.e. insecure communication) for the rest of the site, once you logged in. This was better than only HTTP because it kept man-in-the-middle attackers from seeing your password, but they could still manipulate the content you saw or the actions you took after logging in, or take over your session using Firesheep. At that time, website operators didn't want to use HTTPS for their entire sites because it would slow down page loading.

These days, however, most websites that you can log into use HTTPS for everything, because it's more secure and there's no longer any reason not to. HTTPS is now much faster than HTTP, because it allows more optimization and compression.

The only websites I can think of other than Instructables that let you log in insecurely are those that don't support HTTPS at all, mostly small-time forums operated by people without much website administration expertise.

It appears that Instructables has made some attempts to support HTTPS, as evidenced by this forum topic from 4 years ago. That was a complaint that the certificate (from Fastly, the CDN Instructables uses) wasn't valid for Instructables and was therefore rejected by the user's Web browser, preventing a secure connection. One of the replies mentioned that a secure login page was available at https://ssl.instructables.com/account/login, and that login page is actually still available.

However, it is not linked to from any other page that I can find, meaning that everyone who doesn't know about it (i.e. the vast majority of users) is logging in insecurely, meaning that the sentence "When sensitive personal information is transferred over the Internet, we encrypt it using Transfer [sic] Layer Security (TLS) encryption technology or similar technology." in the Autodesk Privacy Statement is factually incorrect about Instructables. Furthermore, working HTTPS doesn't seem to be available at all for the user account settings, meaning that when a user changes their password, both the old password and the new password are transmitted insecurely, which also makes that sentence incorrect.

Additionally, when I try to use HTTPS for any other Instructables page, it doesn't work. https://ssl.instructables.com redirects to https://www.instructables.com, while https://www.instructables.com results in the above mentioned certificate error because the certificate Fastly is using doesn't include Instructables on the list of (many) sites that it's valid for. (I can bypass the certificate error and load Instructables over HTTPS anyway, but this is a bad security practice, and the connection does not stay on HTTPS as I browse, making it pointless.)

In summary, Instructables seems five to ten years behind the rest of the Web when it comes to user account security.

However, I think this could probably all be solved pretty easily, by asking Fastly to enable (or fix, if it's supposed to be enabled already) HTTPS for the domain [www.]instructables.com, and either changing all links to point to HTTPS URLs or (preferably) enabling HSTS, which will cause all users to use HTTPS regardless of the URLs they type or the links or old bookmarks they click. This would likely have the side benefit of speeding up page loading for all users.


P.S. The lack of HTTPS has also caused me to worry about another aspect of Instructables account security. The Privacy Statement says nothing about how users' credentials are stored on the server(s) to prevent breaches of sensitive information by malicious attackers, negligence, disgruntled employees, etc. (It only says that employees are only allowed to access users' information if they need to to perform their duties, and that data is securely destroyed when no longer needed.) Does Instructables use industry-standard salted hashing (SHA-1 or better) to keep users' passwords secure on the server(s)?


Wait... Why don't eBay use Https?

That makes no sense!

I know, they use HTTPS to process sign-in, but then it redirects back to HTTP. I'm not sure if they do it to prevent SSL certificate issues with third party content (adverts) hosted on HTTP servers. Split HTTP/HTTPS content on the same page will cause the browser to report a certificate error.

I can't believe you haven't had a response yet.

Ian doesn't seem to have been active for a while.

This topic should be in Feedback, or the content of the post could be emailed directly to service@instructables.com

I have done that thanks.

Spam has many definitions. I have had the same email here for years too. But this is different. When someone can become multiple members on instructables and then they follow you with basically the same profile and they are stupid enough to put a code in their address bar that's how I know they are spamming people. This is only one way of spamming.

Kind regards,

What do you mean by "they are stupid enough to put a code in their address bar"?

Thanks for that Kiteman I will send them the spam I have received.
I keep coming across your coin game tutorial, I printed out all the templates and I still haven't had time to make it, but I will one day even if it's the last thing I do, lol !

Silly question, but how do you know the spam you get is thanks to your data being stored on this site? I've been a member for 11 years, always with the same email address, and I get no spam I can link to instructables (at most, I only get one or two pieces a day, actually, most of which is faked to look like it comes from FedEx [a service I don't use], Snapchat [an app I have never downloaded] or Amazon [who do not know my main email address])

Full member only for a few years but reading here for much longer and never had a single problem.
I also fail to see the fuzz about HTTPS compared to HTTP.
Almost all cases of spams or attacks happen because of weak or useless passwords on the user end but not so much because Http is used instead of Https.
When I was an active forum moderator and admin we had complaints almost on a weekly base.
Did that for about 3 years and in this timeframe there was not a single case where the website or it's security was compromised, only users with hacked accounts due to weak passwords.
Once fed up enough we simply blocked all user logins completely until the user used the link supplied in the Email to reset the password and use one with at least 8 characters, upper and lower of course, at least one number and one special character.
Guess what? From that day on there were no complaints at all anymore about hacked user accounts, plus we weeded out about 2500 accounts with identical IP or Email addresses....

For forums users loce to complain that they got hacked, attacked or spammed because the forum is not safe enough.
Sad truth is that in 99% of cases it is ads causing the problem and the owner of the website has little to no say on what is pushed through the ads.
Ask yourself:
1. Is my password long and secure enough?
2. Do I allow every damn advertisement to spam my screen?
3. Do I actually use any proper software on my system to prevent my identity from being stolen or misused?
4. Am I lazy and allow the browser to store all my passwords?
5. Am I lazy again and use the same password for multiple websites?
The best way to avoid being scammed, hacked or get your identy stolen is not to use the internet at all ;)

And don't fall for this simple trick:

Did you know that Instructables censors your passwords? This is mine: ***********. Does it work for you too?

I saw this on Youtube a few months ago, and once again was shocked by how gullible people can be...

The tech team has now removed those spammers. Basically they were signed up members to instructables peddling their female wares and were subscribing to me here on instructables. My email has never been hacked.

The big deal about SSL (the green padlock) is that Google are now penalising any sites that don't have it so if you log onto an HTTP site google will shoot you a notice to say this site is not secure. That's their plan for this year.