[Outages-discussion] paypal.com certificate revoked?
Fabian Wenk
fabian at wenks.ch
Sat Oct 15 06:41:53 EDT 2022
Hello William
On 15.10.2022 01:18, William Kern via Outages-discussion wrote:
> yes, I was wondering about that. If you 0wned paypal.com but not
> www.paypal.com you could redirect them somewhere nasty.
Sure, something like this could be, but it is probably not the case in
what we see.
From my location paypal.com does resolve to two IP addresses (only
IPv4, no IPv6 AAAA entry):
% dig -t a paypal.com
; <<>> DiG 9.18.7 <<>> -t a paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34200
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 3d4e80718edbaf1201000000634a7bd2080314135694247b (good)
;; QUESTION SECTION:
;paypal.com. IN A
;; ANSWER SECTION:
paypal.com. 266 IN A 64.4.250.36
paypal.com. 266 IN A 64.4.250.37
;; Query time: 0 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Sat Oct 15 11:22:26 CEST 2022
;; MSG SIZE rcvd: 99
And www.paypal.com to an IP address from Fastly (IPv4 only as well):
% dig -t a www.paypal.com
; <<>> DiG 9.18.7 <<>> -t a www.paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37683
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: fd4fee988a34d76801000000634a7c8d75824b434a27dbf6 (good)
;; QUESTION SECTION:
;www.paypal.com. IN A
;; ANSWER SECTION:
www.paypal.com. 3384 IN CNAME www.glb.paypal.com.
www.glb.paypal.com. 85 IN CNAME www-fastly.glb.paypal.com.
www-fastly.glb.paypal.com. 85 IN A 151.101.65.21
;; Query time: 2 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Sat Oct 15 11:25:33 CEST 2022
;; MSG SIZE rcvd: 144
> Paypal actually has two redirects on the site.
>
> http://paypal.com goes to https://paypal.com (which then goes to
> https://www.paypal.com)
This is the proper way in doing a redirect from a domain only (without
www) from HTTP to the hostname (with www) with HTTPS. The idea is, that
on the HTTPS site (e.g. just paypal.com) the Strict-Transport-Security
Header is set and so the browser can be made aware of, that this site
should be visited with HTTPS. On the next visit, even if the user just
types paypal.com into the URL bar, the browser goes directly to
https://paypal.com/ and so with only encrypted communication.
> $ curl -I http://paypal.com
> HTTP/1.1 301 Moved Permanently
> Content-Type: text/html
> Content-Length: 185
> Connection: keep-alive
> Location: https://paypal.com/
>
> so that may play a role.
>
Sure it does, but as mention above it is the proper way in doing it.
When I test this two IP addresses with openssl s_client -status, I do
not get an OCSP Stapling response, as it may have expired now. Probably
they are not aware of the problem yet, as even on Firefox the OCSP check
may not be enabled. The revoke reason 'superseded' suggests that they
may have a new certificate, but it has not been deployed yet. Somebody
at PayPal may now have a busy weekend in figuring out what went wrong.
Best regards,
Fabian
More information about the Outages-discussion
mailing list