<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>ok, paypal.com 302s to <a class="moz-txt-link-abbreviated" href="http://www.paypal.com">www.paypal.com</a></p>
<p><br>
</p>
<p># curl -I <a class="moz-txt-link-freetext" href="https://paypal.com">https://paypal.com</a><br>
HTTP/1.1 302 Moved Temporarily<br>
Content-Type: text/html<br>
Content-Length: 161<br>
Connection: keep-alive<br>
Location: <a class="moz-txt-link-freetext" href="https://www.paypal.com/">https://www.paypal.com/</a><br>
Strict-Transport-Security: max-age=31536000; includeSubDomains</p>
<p>So firefox must be checking the cert first before the redirect.<br>
</p>
<p>But other browsers may be processing the 302 THEN checking and
seeing the valid <a class="moz-txt-link-abbreviated" href="http://www.paypal.com">www.paypal.com</a> <br>
</p>
<p>-bill<br>
</p>
<div class="moz-cite-prefix">On 10/14/22 3:23 PM, Alex Cohn via
Outages wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAN3-_m5hznVbwO5tvkamJyWetojsEj2DBALPF2s6RpLRT6rQ3w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">I'm getting a "revoked" OCSP response for the cert
currently used by <a href="http://paypal.com"
moz-do-not-send="true">paypal.com</a>, but a good response for
<a href="http://www.paypal.com" moz-do-not-send="true">www.paypal.com</a>.
The naked domain is using OCSP stapling and is serving an older
valid response, which is probably why it's still working even on
browsers that are configured to check for certificate
revocation.
<div><br>
</div>
<div>The two certificates are <a
href="https://crt.sh/?id=7746738574" moz-do-not-send="true"
class="moz-txt-link-freetext">https://crt.sh/?id=7746738574</a>
(revoked, used by <a href="http://paypal.com"
moz-do-not-send="true">paypal.com</a>) and <a
href="https://crt.sh/?id=7754586913" moz-do-not-send="true"
class="moz-txt-link-freetext">https://crt.sh/?id=7754586913</a>
(valid, used by <a href="http://www.paypal.com"
moz-do-not-send="true">www.paypal.com</a>).
<div><br>
</div>
<div>-Alex</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Oct 14, 2022 at 5:14
PM George Herbert via Outages <<a
href="mailto:outages@outages.org" moz-do-not-send="true"
class="moz-txt-link-freetext">outages@outages.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I
get a good response now, with Produced At Oct 14 19:18:25 2022<br>
<br>
-george <br>
<br>
Sent from my iPhone<br>
<br>
> On Oct 14, 2022, at 2:43 PM, Chuck Anderson via Outages
<<a href="mailto:outages@outages.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">outages@outages.org</a>>
wrote:<br>
> <br>
> Firefox says:<br>
> <br>
> Secure Connection Failed<br>
> <br>
> An error occurred during a connection to <a
href="http://paypal.com" rel="noreferrer" target="_blank"
moz-do-not-send="true">paypal.com</a>. Peer’s Certificate
has been revoked.<br>
> <br>
> Error code: SEC_ERROR_REVOKED_CERTIFICATE<br>
> <br>
> OCSP checker says:<br>
> <br>
> <a href="https://www.certificatetools.com/ocsp-checker"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://www.certificatetools.com/ocsp-checker</a><br>
> <br>
> Domain Name(s) <a href="http://paypal.com"
rel="noreferrer" target="_blank" moz-do-not-send="true">paypal.com</a>,
<a href="http://paypal-workplace.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">paypal-workplace.com</a>,
<a href="http://xoom-experience.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">xoom-experience.com</a>,
<a href="http://buyindiaonline.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">buyindiaonline.com</a>,
<a href="http://paypal-experience.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">paypal-experience.com</a>,
<a href="http://xoom.com" rel="noreferrer" target="_blank"
moz-do-not-send="true">xoom.com</a>, <a
href="http://venmo-experience.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">venmo-experience.com</a>,
<a href="http://sandbox.paypal.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">sandbox.paypal.com</a>,
<a href="http://paypal.me" rel="noreferrer" target="_blank"
moz-do-not-send="true">paypal.me</a>, <a
href="http://cash2india.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">cash2india.com</a><br>
> OCSP URI <a href="http://ocsp.digicert.com"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://ocsp.digicert.com</a><br>
> Next Update Oct 21 18:12:02 2022 GMT<br>
> This Update Oct 14 18:57:02 2022 GMT<br>
> Cert Status revoked<br>
> Produced At Oct 14 19:13:05 2022 GMT<br>
> Response Type Basic OCSP Response<br>
> OCSP Response Status successful (0x0)<br>
> OpenSSL Command openssl ocsp -sha1 -issuer
ca.crt -cert cert.crt -header host=<a
href="http://ocsp.digicert.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">ocsp.digicert.com</a>
-url <a href="http://ocsp.digicert.com" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://ocsp.digicert.com</a>
-text -CAfile ca.crt -no_nonce<br>
> _______________________________________________<br>
> Outages mailing list<br>
> <a href="mailto:Outages@outages.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Outages@outages.org</a><br>
> <a
href="https://puck.nether.net/mailman/listinfo/outages"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://puck.nether.net/mailman/listinfo/outages</a><br>
_______________________________________________<br>
Outages mailing list<br>
<a href="mailto:Outages@outages.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Outages@outages.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/outages"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://puck.nether.net/mailman/listinfo/outages</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Outages mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Outages@outages.org">Outages@outages.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/outages">https://puck.nether.net/mailman/listinfo/outages</a>
</pre>
</blockquote>
</body>
</html>