hhttps?
February 1, 2016 3:06 PM Subscribe
How does this sketchy "hhttps" link work?
I came across this link, which appears to link to a redirect page that serves one of a variety of sketchy links ("Your computer needs an antivirus" etc.) I'm trying to understand how it works, and I'm not getting anywhere with google (which just shows me more examples of it.)
http://hhttps//www.youtube.com/watch?v=pXbuP19AWDM
Note the beginning, which just looks like a typo or a mis-pasted link. Chrome reports it can't find the server "hhttps" which is what I would expect. However it works on Safari and Firefox so they must be parsing it differently, but I'm not sure how or where exactly it's pointing to.
I came across this link, which appears to link to a redirect page that serves one of a variety of sketchy links ("Your computer needs an antivirus" etc.) I'm trying to understand how it works, and I'm not getting anywhere with google (which just shows me more examples of it.)
http://hhttps//www.youtube.com/watch?v=pXbuP19AWDM
Note the beginning, which just looks like a typo or a mis-pasted link. Chrome reports it can't find the server "hhttps" which is what I would expect. However it works on Safari and Firefox so they must be parsing it differently, but I'm not sure how or where exactly it's pointing to.
When you say "it works on Safari and Firefox" what do you mean? What does the browser display?
posted by humboldt32 at 3:40 PM on February 1, 2016
posted by humboldt32 at 3:40 PM on February 1, 2016
Ah, Safari does in fact do something. I force killed ASAP.
Careful folks testing that link.
posted by humboldt32 at 3:41 PM on February 1, 2016
Careful folks testing that link.
posted by humboldt32 at 3:41 PM on February 1, 2016
Best answer: Yes, Firefox is auto-expanding the hostname from “hhttps” to “www.hhttps.com” which then redirects to another site. The expansion is part of its “fixup” algorithm for broken URLs. You can see what’s happening using Firefox’s built-in Network Monitor.
posted by mbrubeck at 4:00 PM on February 1, 2016 [7 favorites]
posted by mbrubeck at 4:00 PM on February 1, 2016 [7 favorites]
Response by poster: I probably should have added more info:
posted by ChurchHatesTucker at 5:13 PM on February 1, 2016
- OS X 10.10.5 (Yosemite)
- Safari 9.0.3
- Firefox 42.0 (see below)
- Chrome Version 49.0.2623.28 beta (64-bit)
posted by ChurchHatesTucker at 5:13 PM on February 1, 2016
It's possible, for instance, that an infected computer could be running a local proxy, identified by the non-canonical (i.e. would only work locally, and/or if the hosts file had been compromised) name 'hhttps'. If that were the case, that link would work, and the proxy would return whatever nastiness into your browser that it wanted to. Why the (possible, local) proxy? I dunno, maybe some effort at obfuscation from antivirus software or modern browsers' built-in phishing/malware protection. If not a local proxy, then just because it'd be more apt to fool you than a sketchy IP.
posted by destructive cactus at 5:43 PM on February 1, 2016
posted by destructive cactus at 5:43 PM on February 1, 2016
Yeah, it's redirecting you to hhttps dot com which whois says seems to be registered by a company in China, but it has somebody in the Czech Republic listed as admin, but it also says "this company does not own this domain name "
I'm not willing to open that website myself on this computer.
posted by Diag at 4:23 AM on February 2, 2016 [1 favorite]
I'm not willing to open that website myself on this computer.
posted by Diag at 4:23 AM on February 2, 2016 [1 favorite]
Yep, they're trying to fool people who don't read URLs carefully (or at all!), and want you to go to their undoubtedly-nefarious site.
It's a b0rked link, in this case intentionally, and you should avoid it.
posted by wenestvedt at 6:52 AM on February 2, 2016
It's a b0rked link, in this case intentionally, and you should avoid it.
posted by wenestvedt at 6:52 AM on February 2, 2016
FWIW , This is where I found the link:
https://twitter.com/Paulmd199/status/694254996003532800
On the link that I posted copied from above, the extra hhttps added to the link does not seem to be there?
Unless I am just not seeing it?
Also, I copied the link:
https://www.youtube.com/watch?v=pXbuP19AWDM
Directly from my original post.
I have no idea how the extra hhttps was added to the link. I don't think it is because I posted it that way, unless I inadvertently added it when copying?
Really weird to say the least.
posted by yertledaturtle at 1:23 PM on February 2, 2016
https://twitter.com/Paulmd199/status/694254996003532800
On the link that I posted copied from above, the extra hhttps added to the link does not seem to be there?
Unless I am just not seeing it?
Also, I copied the link:
https://www.youtube.com/watch?v=pXbuP19AWDM
Directly from my original post.
I have no idea how the extra hhttps was added to the link. I don't think it is because I posted it that way, unless I inadvertently added it when copying?
Really weird to say the least.
posted by yertledaturtle at 1:23 PM on February 2, 2016
Response by poster: yertle, I flagged your comment so I assume the mods fixed it.
It does appear to be a related site to "https.com", there are even some of the same pages served up. Is there someplace that tracks these kinds of things?
posted by ChurchHatesTucker at 5:06 PM on February 2, 2016
It does appear to be a related site to "https.com", there are even some of the same pages served up. Is there someplace that tracks these kinds of things?
posted by ChurchHatesTucker at 5:06 PM on February 2, 2016
« Older What kind of contractor do I need to prevent this... | How should I haved handled Profane Ridden... Newer »
This thread is closed to new comments.
There is a https.com which redirects to rewardsurveybrands.com which gives "you have been selected" popups (and other things when I open it in Lynx, there's clearly much heinous JavaScript and sketchy redirection involved). Perhaps Safari (or your platform) is noting the bare host name and adding a .com?
posted by straw at 3:26 PM on February 1, 2016