osv.dev redirects to google.github.io/osv.dev/ which 404s

[RichardoC]

Describe the bug
A clear and concise description of what the bug is.
https://google.github.io/osv.dev/ currently has an invalid certificate, this can be reached then you click "FAQ" from the top left of https://osv.dev/blog/
The certificate is only valid for google.com, and when you click through the warning you get a 404 from the Google Front End

To Reproduce
Steps to reproduce the behaviour:

1. Go to https://osv.dev/blog/
2. Click on "FAQ"
3. See that https://google.github.io/osv.dev/ is pointing to the google front end, which serves a certificate for google.com and shows a 404

Expected behaviour
A clear and concise description of what you expected to happen.
The FAQs for osv load as expected

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[andrewpollock]

@RichardoC thanks for reporting this, I'm having trouble reproducing it though.

[andrewpollock]

@RichardoC Given you changed the title, I wonder if step 3 of your reproduction needs to be edited as well? If I'm reading correctly, it sounds like the problems were all within google.github.io, which is GitHub serving infrastructure. I wonder if it had a temporary glitch?

[RichardoC]

Here's a video of the issue, I suspect it's just that the URL for the FAQ's is wrong
Screencast from 16-11-23 23:20:00.webm

[andrewpollock]

Thanks for the screencast, that helped surface the additional detail of Firefox being the browser.

This is looking to me like some sort of browser certificate pinning error, because for me with Chrome, I'm seeing everything to be in order, and based on the failure message I'm seeing, the certificate being expected by your browser is a Google certificate, but this site is a *.github.io site.

Would you mind trying this with a totally fresh Firefox browser profile or (I think Firefox calls it "Private Browsing" window?)

[andrewpollock]

This is what I'm seeing with Chrome, and doesn't look like what you're seeing with Firefox:

$ echo | openssl s_client -showcerts -servername google.github.io -connect google.github.io:443 2>/dev/null | openssl x509 -inform pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:4d:72:d7:7c:dd:a7:02:dd:5a:67:f2:a2:3b:bd:d9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
        Validity
            Not Before: Feb 21 00:00:00 2023 GMT
            Not After : Mar 20 23:59:59 2024 GMT
        Subject: C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:b0:60:0e:1a:2f:f1:b1:86:4b:64:ec:11:9f:
                    a6:79:be:e8:87:f1:88:c5:b4:49:9b:10:bb:ca:af:
                    ea:af:be:54:0c:78:43:7f:ca:7b:4e:45:5b:0b:24:
                    29:f1:bb:23:fc:19:a4:c7:6c:70:49:76:53:d3:09:
                    23:65:b2:48:7b:b6:1c:aa:07:1a:e2:79:1a:f9:7a:
                    5e:e7:16:f8:a6:4a:d5:39:a3:e2:0d:f7:57:ef:ed:
                    f8:08:76:5b:52:da:8b:d0:e6:1e:6e:2f:f9:0f:99:
                    4b:6a:52:ca:34:e1:a4:c9:20:33:d3:97:e8:7a:77:
                    c5:03:10:26:41:82:61:47:a2:af:c4:56:3f:76:a2:
                    38:cb:b2:70:ae:72:7a:43:c1:7e:27:a3:5e:d6:e3:
                    f6:e7:a5:30:70:bd:2a:96:27:7a:7b:fb:40:d2:57:
                    77:af:23:12:27:42:3a:c6:0b:6a:8c:bd:ba:2d:ee:
                    3f:9f:15:ee:62:57:a4:a6:95:50:af:43:b0:ac:76:
                    b8:e1:0e:d9:ff:56:ec:74:50:86:b5:1f:96:2c:d1:
                    95:05:e5:b7:05:67:93:4e:9e:f2:5a:38:1f:a7:8f:
                    43:5a:de:3c:57:da:48:7a:50:c6:88:38:15:c8:97:
                    2c:2c:ec:f8:39:09:36:bd:19:8d:03:56:41:66:07:
                    24:e3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                B7:6B:A2:EA:A8:AA:84:8C:79:EA:B4:DA:0F:98:B2:C5:95:76:B9:F4
            X509v3 Subject Key Identifier: 
                8D:02:1C:75:5A:CD:C6:A6:41:78:69:28:C3:F7:AA:A7:98:3B:D5:BB
            X509v3 Subject Alternative Name: 
                DNS:*.github.io, DNS:github.io, DNS:*.github.com, DNS:github.com, DNS:www.github.com, DNS:*.githubusercontent.com, DNS:githubusercontent.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
                Full Name:
                  URI:http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.2
                  CPS: http://www.digicert.com/CPS
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt
            X509v3 Basic Constraints: 
                CA:FALSE
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
                                B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
                    Timestamp : Feb 21 15:03:41.179 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:AA:7E:67:D2:3B:C3:31:79:E5:59:FD:
                                F2:73:AA:A0:41:A7:E5:6A:79:10:D4:39:40:55:1B:24:
                                D3:3A:7E:37:7B:02:21:00:94:F4:4B:6E:E6:98:65:25:
                                A6:A3:62:0C:00:CF:F8:9A:3C:0B:A9:18:1C:5F:BB:53:
                                A4:D8:EF:86:C7:5C:70:1A
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 73:D9:9E:89:1B:4C:96:78:A0:20:7D:47:9D:E6:B2:C6:
                                1C:D0:51:5E:71:19:2A:8C:6B:80:10:7A:C1:77:72:B5
                    Timestamp : Feb 21 15:03:41.162 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:82:E0:7E:5D:05:40:34:18:F6:30:F7:
                                09:CD:BC:FE:2C:13:EB:90:30:CE:10:ED:E8:A7:9D:A3:
                                74:75:12:5B:72:02:20:5D:1F:9D:87:56:AA:F7:6D:9A:
                                04:0D:4A:7B:35:DE:90:29:A5:D4:16:A7:8F:DF:FE:37:
                                AB:35:8B:24:23:B9:2B
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
                                1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
                    Timestamp : Feb 21 15:03:41.130 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:13:FF:00:36:A8:61:87:48:A6:6A:04:09:
                                BC:E3:3E:AA:13:E7:46:3D:06:75:68:23:18:E7:6A:45:
                                49:F7:30:F1:02:20:3F:F4:9C:8A:E6:46:D3:65:F6:98:
                                13:BF:9A:20:D3:DA:10:A9:E3:2E:5D:DA:C7:3B:14:4E:
                                4F:4E:1C:82:A5:B3
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        37:a4:1b:11:22:9f:fc:9f:c9:67:07:8f:aa:86:13:9f:e0:08:
        1d:6e:0c:8d:65:fb:03:79:50:c6:76:ba:30:90:a0:a4:1c:79:
        13:07:b9:5a:18:8d:97:4c:05:71:8a:d0:22:17:c6:19:a2:22:
        8b:03:f6:2c:84:71:6c:55:df:e2:99:43:65:e5:d7:b7:b7:37:
        4c:c6:c8:e5:f1:d8:a7:7b:07:5d:eb:b8:1c:50:a4:a3:8e:f0:
        4c:f8:b8:6a:72:59:be:43:0e:8a:de:b5:5e:8f:9e:3f:5a:43:
        64:82:cc:e0:de:76:f4:be:a6:12:0a:06:68:bb:77:e1:4c:ef:
        4b:4d:67:af:f6:72:c7:6b:1b:9c:48:53:a7:7f:ed:76:18:5c:
        f0:f6:c6:4c:24:53:57:57:e1:42:a6:3d:ae:e1:f5:93:f2:6a:
        fa:29:72:01:3e:b7:06:f1:2f:1a:0e:91:c5:ec:35:bf:f5:da:
        33:95:de:24:12:0d:f5:c3:23:8d:40:82:d1:5c:eb:de:0a:08:
        e8:e5:83:e5:0a:8b:3a:5e:98:4e:77:4f:9f:dc:ab:7e:ce:a8:
        28:4f:aa:79:4f:c9:be:8f:60:88:6e:6b:f9:20:6c:7f:38:96:
        d6:da:d7:11:03:43:d8:b8:51:87:ce:32:22:4d:64:4c:c4:75:
        27:d0:e3:df

[RichardoC]

Good news, this seems to be working now! My guess is there was some kind of DNS issue, because this is now correctly pointing to a Github server rather than a Google one.
https://www.shodan.io/host/185.199.109.153

[andrewpollock]

Most strange. I'd love to know what it was pointing at when you were experiencing the errors...