<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>ok, paypal.com 302s to <a class="moz-txt-link-abbreviated" href="http://www.paypal.com">www.paypal.com</a></p>
    <p><br>
    </p>
    <p># curl -I <a class="moz-txt-link-freetext" href="https://paypal.com">https://paypal.com</a><br>
      HTTP/1.1 302 Moved Temporarily<br>
      Content-Type: text/html<br>
      Content-Length: 161<br>
      Connection: keep-alive<br>
      Location: <a class="moz-txt-link-freetext" href="https://www.paypal.com/">https://www.paypal.com/</a><br>
      Strict-Transport-Security: max-age=31536000; includeSubDomains</p>
    <p>So firefox must be checking the cert first before the redirect.<br>
    </p>
    <p>But other browsers may be processing the 302 THEN checking and
      seeing the valid <a class="moz-txt-link-abbreviated" href="http://www.paypal.com">www.paypal.com</a> <br>
    </p>
    <p>-bill<br>
    </p>
    <div class="moz-cite-prefix">On 10/14/22 3:23 PM, Alex Cohn via
      Outages wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAN3-_m5hznVbwO5tvkamJyWetojsEj2DBALPF2s6RpLRT6rQ3w@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">I'm getting a "revoked" OCSP response for the cert
        currently used by <a href="http://paypal.com"
          moz-do-not-send="true">paypal.com</a>, but a good response for
        <a href="http://www.paypal.com" moz-do-not-send="true">www.paypal.com</a>.
        The naked domain is using OCSP stapling and is serving an older
        valid response, which is probably why it's still working even on
        browsers that are configured to check for certificate
        revocation.
        <div><br>
        </div>
        <div>The two certificates are <a
            href="https://crt.sh/?id=7746738574" moz-do-not-send="true"
            class="moz-txt-link-freetext">https://crt.sh/?id=7746738574</a>
          (revoked, used by <a href="http://paypal.com"
            moz-do-not-send="true">paypal.com</a>) and <a
            href="https://crt.sh/?id=7754586913" moz-do-not-send="true"
            class="moz-txt-link-freetext">https://crt.sh/?id=7754586913</a>
          (valid, used by <a href="http://www.paypal.com"
            moz-do-not-send="true">www.paypal.com</a>). 
          <div><br>
          </div>
          <div>-Alex</div>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Fri, Oct 14, 2022 at 5:14
          PM George Herbert via Outages <<a
            href="mailto:outages@outages.org" moz-do-not-send="true"
            class="moz-txt-link-freetext">outages@outages.org</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I
          get a good response now, with Produced At Oct 14 19:18:25 2022<br>
          <br>
          -george <br>
          <br>
          Sent from my iPhone<br>
          <br>
          > On Oct 14, 2022, at 2:43 PM, Chuck Anderson via Outages
          <<a href="mailto:outages@outages.org" target="_blank"
            moz-do-not-send="true" class="moz-txt-link-freetext">outages@outages.org</a>>
          wrote:<br>
          > <br>
          > Firefox says:<br>
          > <br>
          > Secure Connection Failed<br>
          > <br>
          > An error occurred during a connection to <a
            href="http://paypal.com" rel="noreferrer" target="_blank"
            moz-do-not-send="true">paypal.com</a>. Peer’s Certificate
          has been revoked.<br>
          > <br>
          > Error code: SEC_ERROR_REVOKED_CERTIFICATE<br>
          > <br>
          > OCSP checker says:<br>
          > <br>
          > <a href="https://www.certificatetools.com/ocsp-checker"
            rel="noreferrer" target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">https://www.certificatetools.com/ocsp-checker</a><br>
          > <br>
          > Domain Name(s)    <a href="http://paypal.com"
            rel="noreferrer" target="_blank" moz-do-not-send="true">paypal.com</a>,
          <a href="http://paypal-workplace.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">paypal-workplace.com</a>,
          <a href="http://xoom-experience.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">xoom-experience.com</a>,
          <a href="http://buyindiaonline.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">buyindiaonline.com</a>,
          <a href="http://paypal-experience.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">paypal-experience.com</a>,
          <a href="http://xoom.com" rel="noreferrer" target="_blank"
            moz-do-not-send="true">xoom.com</a>, <a
            href="http://venmo-experience.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">venmo-experience.com</a>,
          <a href="http://sandbox.paypal.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">sandbox.paypal.com</a>,
          <a href="http://paypal.me" rel="noreferrer" target="_blank"
            moz-do-not-send="true">paypal.me</a>, <a
            href="http://cash2india.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">cash2india.com</a><br>
          > OCSP URI    <a href="http://ocsp.digicert.com"
            rel="noreferrer" target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">http://ocsp.digicert.com</a><br>
          > Next Update    Oct 21 18:12:02 2022 GMT<br>
          > This Update    Oct 14 18:57:02 2022 GMT<br>
          > Cert Status    revoked<br>
          > Produced At    Oct 14 19:13:05 2022 GMT<br>
          > Response Type    Basic OCSP Response<br>
          > OCSP Response Status  successful (0x0)<br>
          > OpenSSL Command          openssl ocsp -sha1 -issuer
          ca.crt -cert cert.crt -header host=<a
            href="http://ocsp.digicert.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true">ocsp.digicert.com</a>
          -url <a href="http://ocsp.digicert.com" rel="noreferrer"
            target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">http://ocsp.digicert.com</a>
          -text -CAfile ca.crt -no_nonce<br>
          > _______________________________________________<br>
          > Outages mailing list<br>
          > <a href="mailto:Outages@outages.org" target="_blank"
            moz-do-not-send="true" class="moz-txt-link-freetext">Outages@outages.org</a><br>
          > <a
            href="https://puck.nether.net/mailman/listinfo/outages"
            rel="noreferrer" target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">https://puck.nether.net/mailman/listinfo/outages</a><br>
          _______________________________________________<br>
          Outages mailing list<br>
          <a href="mailto:Outages@outages.org" target="_blank"
            moz-do-not-send="true" class="moz-txt-link-freetext">Outages@outages.org</a><br>
          <a href="https://puck.nether.net/mailman/listinfo/outages"
            rel="noreferrer" target="_blank" moz-do-not-send="true"
            class="moz-txt-link-freetext">https://puck.nether.net/mailman/listinfo/outages</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset class="moz-mime-attachment-header"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Outages mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Outages@outages.org">Outages@outages.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/outages">https://puck.nether.net/mailman/listinfo/outages</a>
</pre>
    </blockquote>
  </body>
</html>