[Outages-discussion] paypal.com certificate revoked?

Fri Oct 14 19:00:45 EDT 2022

If what you say is true, that seems like a very bad security hole in
the other browsers.

On Fri, Oct 14, 2022 at 03:42:17PM -0700, William Kern via Outages wrote:
> ok, paypal.com 302s to www.paypal.com
> 
> 
> # curl -I https://paypal.com
> HTTP/1.1 302 Moved Temporarily
> Content-Type: text/html
> Content-Length: 161
> Connection: keep-alive
> Location: https://www.paypal.com/
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> 
> So firefox must be checking the cert first before the redirect.
> 
> But other browsers may be processing the 302 THEN checking and seeing 
> the valid www.paypal.com
> 
> -bill
> 
> On 10/14/22 3:23 PM, Alex Cohn via Outages wrote:
> > I'm getting a "revoked" OCSP response for the cert currently used by 
> > paypal.com <http://paypal.com>, but a good response for www.paypal.com 
> > <http://www.paypal.com>. The naked domain is using OCSP stapling and 
> > is serving an older valid response, which is probably why it's still 
> > working even on browsers that are configured to check for certificate 
> > revocation.
> >
> > The two certificates are https://crt.sh/?id=7746738574 (revoked, used 
> > by paypal.com <http://paypal.com>) and https://crt.sh/?id=7754586913 
> > (valid, used by www.paypal.com <http://www.paypal.com>).
> >
> > -Alex
> >
> > On Fri, Oct 14, 2022 at 5:14 PM George Herbert via Outages 
> > <outages at outages.org> wrote:
> >
> >     I get a good response now, with Produced At Oct 14 19:18:25 2022
> >
> >     -george
> >
> >     Sent from my iPhone
> >
> >     > On Oct 14, 2022, at 2:43 PM, Chuck Anderson via Outages
> >     <outages at outages.org> wrote:
> >     >
> >     > Firefox says:
> >     >
> >     > Secure Connection Failed
> >     >
> >     > An error occurred during a connection to paypal.com
> >     <http://paypal.com>. Peer’s Certificate has been revoked.
> >     >
> >     > Error code: SEC_ERROR_REVOKED_CERTIFICATE
> >     >
> >     > OCSP checker says:
> >     >
> >     > https://www.certificatetools.com/ocsp-checker
> >     >
> >     > Domain Name(s) paypal.com <http://paypal.com>,
> >     paypal-workplace.com <http://paypal-workplace.com>,
> >     xoom-experience.com <http://xoom-experience.com>,
> >     buyindiaonline.com <http://buyindiaonline.com>,
> >     paypal-experience.com <http://paypal-experience.com>, xoom.com
> >     <http://xoom.com>, venmo-experience.com
> >     <http://venmo-experience.com>, sandbox.paypal.com
> >     <http://sandbox.paypal.com>, paypal.me <http://paypal.me>,
> >     cash2india.com <http://cash2india.com>
> >     > OCSP URI http://ocsp.digicert.com
> >     > Next Update    Oct 21 18:12:02 2022 GMT
> >     > This Update    Oct 14 18:57:02 2022 GMT
> >     > Cert Status    revoked
> >     > Produced At    Oct 14 19:13:05 2022 GMT
> >     > Response Type    Basic OCSP Response
> >     > OCSP Response Status  successful (0x0)
> >     > OpenSSL Command          openssl ocsp -sha1 -issuer ca.crt -cert
> >     cert.crt -header host=ocsp.digicert.com <http://ocsp.digicert.com>
> >     -url http://ocsp.digicert.com -text -CAfile ca.crt -no_nonce