Hi bob3160,
This string abuse works because the browser actually wants this to execute as %25%2530%2530
When I give your string in following directly from "
https://ad.nl/" the browser url bar shows:
http://caja.appspot.com/#https://ad.nl/%25%2530%2530and this can be abused because my connection is no longer private, your bug code can be used as privacy error and for stealing credentials like passwords messages , creditcards details etc. Did you notice that, bob3160?
What you do with %%30%30 translated into %25%2530%2530 is a certificate hack and the server certificate no longer matches that URL or v.v. and the use of an older Cipher Suite is being flagged. Did you notice that, bob3160?
We stumbled upon something that could lead to indirect abuse on a large scale. Thank you very, very much for reporting this.
Trying this on the nameserver there: -http://ns1-25.akam.net/%25%2530%2530 and then condider this: 10 red out of 10 red Netcraft risk status. This certainly is an issue that goes beyond a mere Google Chrome browser bug, bob3160, you stumbled on something that needs to be analysed further, my good friend. Here the server just opens the main page:
http://www.telegraaf.nl//%25%2530%2530Damian