ok, paypal.com 302s to www.paypal.com
# curl -I https://paypal.com
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 161
Connection: keep-alive
Location: https://www.paypal.com/
Strict-Transport-Security: max-age=31536000; includeSubDomains
So firefox must be checking the cert first before the redirect.
But other browsers may be processing the 302 THEN checking and seeing
the valid www.paypal.com
-bill
On 10/14/22 3:23 PM, Alex Cohn via Outages wrote:
I'm getting a "revoked" OCSP response for the cert currently used by
paypal.com <http://paypal.com>, but a good response for www.paypal.com
<http://www.paypal.com>. The naked domain is using OCSP stapling and
is serving an older valid response, which is probably why it's still
working even on browsers that are configured to check for certificate
revocation.
The two certificates are https://crt.sh/?id=7746738574 (revoked, used
by paypal.com <http://paypal.com>) and https://crt.sh/?id=7754586913
(valid, used by www.paypal.com <http://www.paypal.com>).
-Alex
On Fri, Oct 14, 2022 at 5:14 PM George Herbert via Outages
<[email protected]> wrote:
I get a good response now, with Produced At Oct 14 19:18:25 2022
-george
Sent from my iPhone
> On Oct 14, 2022, at 2:43 PM, Chuck Anderson via Outages
<[email protected]> wrote:
>
> Firefox says:
>
> Secure Connection Failed
>
> An error occurred during a connection to paypal.com
<http://paypal.com>. Peer’s Certificate has been revoked.
>
> Error code: SEC_ERROR_REVOKED_CERTIFICATE
>
> OCSP checker says:
>
> https://www.certificatetools.com/ocsp-checker
>
> Domain Name(s) paypal.com <http://paypal.com>,
paypal-workplace.com <http://paypal-workplace.com>,
xoom-experience.com <http://xoom-experience.com>,
buyindiaonline.com <http://buyindiaonline.com>,
paypal-experience.com <http://paypal-experience.com>, xoom.com
<http://xoom.com>, venmo-experience.com
<http://venmo-experience.com>, sandbox.paypal.com
<http://sandbox.paypal.com>, paypal.me <http://paypal.me>,
cash2india.com <http://cash2india.com>
> OCSP URI http://ocsp.digicert.com
> Next Update Oct 21 18:12:02 2022 GMT
> This Update Oct 14 18:57:02 2022 GMT
> Cert Status revoked
> Produced At Oct 14 19:13:05 2022 GMT
> Response Type Basic OCSP Response
> OCSP Response Status successful (0x0)
> OpenSSL Command openssl ocsp -sha1 -issuer ca.crt -cert
cert.crt -header host=ocsp.digicert.com <http://ocsp.digicert.com>
-url http://ocsp.digicert.com -text -CAfile ca.crt -no_nonce
> _______________________________________________
> Outages mailing list
> [email protected]
> https://puck.nether.net/mailman/listinfo/outages
_______________________________________________
Outages mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/outages
_______________________________________________
Outages mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/outages
_______________________________________________
Outages mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/outages
