Paypal.com SSL certificate invalid, issued to BitPay.com

19

1

Trying to buy some games from GoG, click Paypal and Chrome shows me this page:

enter image description here

I'm not entirely sure how to work out what's going on here. I am a Bitcoin user so my immediate fear is my network/computer has been compromised somehow.

Any help appreciated.

Other browsers
Fails to load in Chrome, and iPhone over Wifi.
Loads fine on PC in FF/IE, and loads fine on iPhone over 4g

Copy of the .cer file:
https://www.dropbox.com/s/wg5oczk8wgyjjcr/paypal_bitpay.cer

What I've tried

  • Reinstalled Chrome (no help)
  • Run full virus scan (no threats)
  • Run Malwarebytes scan (no threats)
  • Updated router to latest firmware
  • Changed all router passwords
  • Cleared SSL state on machine
  • Wiped Chrome cache completely

Problem still persists!

Fixed

Changed DNS to Google's (8.8.8.8) and it works now. Any ideas why this is so?

Tom Gullen

Posted 2014-07-24T11:35:38.307

Reputation: 215

Unless you came from the BitPay website the certificate that you provided a screenshot of is not PayPal's SSL Certificate. You should always trust a browser when it says the website your trying to vist isn't safe if its a secure http connection.

– Ramhound – 2014-07-24T11:41:38.220

@Ramhound, I understand, but I'm really confused about what could possibly be causing this right now – Tom Gullen – 2014-07-24T11:42:40.823

It sounds like you are infected with Malware. I provided the actual certificate for PayPal. Chrome uses the certificate store of the operating system, so if thats been infected with an invalid certificate, IE will present the same certificate when you vist PayPal

– Ramhound – 2014-07-24T11:45:10.010

What's the date and time on your computer? Check it against an online source for your town/country. Your computer should be "to the minute"... – Kinnectus – 2014-07-24T11:49:16.380

@BigChris I'm in London and my computer time is showing the correct time. TimeZone is set to (UTC) London – Tom Gullen – 2014-07-24T11:51:44.413

1I am interested if IE detect the same certificate. You don't even have to log into your account. Just go to PayPal and click on the lock, the details of the certificate and its path, should in the dialog box that appears. – Ramhound – 2014-07-24T11:57:42.433

@ramhound loads fine in IE, here's a screenshot: http://i.imgur.com/b2qDTxk.png

It's probably the first time I've ever opened IE on this computer though if it makes any difference.

– Tom Gullen – 2014-07-24T12:03:32.323

For what it's worth, the current PayPal certificate has this SHA1 fingerprint: 08:4B:E8:76:96:82:23:68:28:D8:E9:DC:55:90:1E:53:E8:EB:84:32 and was issued by VeriSign. – Cristian Ciupitu – 2014-07-24T12:04:08.380

@CristianCiupitu I get that in IE. Would this suggest it's probably not a network issue/MITM? – Tom Gullen – 2014-07-24T12:06:12.910

1Do you have any extensions installed that have gone wrong? – Kinnectus – 2014-07-24T12:07:20.700

The first step would be to delete your Chrome profile and see if this still happens. If it does verify the behavior happens in Firefox and IE. You are using the current version of Chrome right? Chrome recently made a change to make the "address bar" more friendly. Its possible that while it indicates https://www.paypal.com that you are not actually on that website. – Ramhound – 2014-07-24T12:08:10.970

We have not ruled out a MITM attack at this time – Ramhound – 2014-07-24T12:09:11.770

@BigChris the same happens in incognito mode which I believe disables extensions? Only extensions I have installed are adblockplus and reddit enhancement suite. – Tom Gullen – 2014-07-24T12:10:22.440

@Ramhound I'm using Chrome 36.0.1985.125m

Will delete Chrome profile and see what happens. – Tom Gullen – 2014-07-24T12:11:01.723

Just resintalled Chrome completely, no addons fresh install. Problem persists. – Tom Gullen – 2014-07-24T12:26:47.133

My iPhone over wifi can't establish a connection to Paypal.com, error is "Safari cannot open the page because it could not establish a secure connection to the server" – Tom Gullen – 2014-07-24T12:30:30.047

Answers

23

I don't think we need to say this, but do not accept that certificate.

Either something is wrong with your connection and you have a man in the middle, or something went terribly wrong on your browser, or some application server at PayPal was compromised.

Since everything looks normal from here, and the certificate is legitimate, don't trust whatever is on the other side.

Can you download the certificate and share it with us, out of curiosity?

Are you using a proxy somewhere? Even if you think you aren't, can you check your network and browser configuration to find it out? You may have malware installed or are using a rogue proxy.

Since the problem was fixed by changing the DNS server to Google's, I wonder what was your DNS server. It may have suffered a DNS cache poisoning, or RAM problems in the server may have mixed up cache entries. But I suspect the former: maybe your ISP has suffered an attack. The output of the host or dig commands, directed at the server, may be useful to debug.

dig www.paypal.com @8.8.8.8

dig www.paypal.com @(your DNS server)

host www.paypal.com 8.8.8.8

host www.paypal.com (your DNS server)

Also: if even your iPhone was having similar problems, the problem is most certainly in your ISP's DNS server. I'm not sure how effective it will be to warn them, but it may be a good idea.

Valmiky Arquissandas

Posted 2014-07-24T11:35:38.307

Reputation: 1 770

Thanks for the reply, would be happy to share to certificate but am unsure how to go about doing this.

Not knowingly using a proxy, and again am unsure how to check everything to confirm this. – Tom Gullen – 2014-07-24T11:43:17.583

@TomGullen: go to the Details tab, you should have an "Export" button. Then you have to upload it somewhere (people usually give a public link to a Dropbox; that should work). – Valmiky Arquissandas – 2014-07-24T11:44:49.293

Here we go: https://www.dropbox.com/s/wg5oczk8wgyjjcr/paypal_bitpay.cer

– Tom Gullen – 2014-07-24T11:47:57.767

1

The certificate seems to be valid; it is in fact identical to the one used by https://www.bitpay.com. It could be that either your /etc/hosts file has been modified to include www.paypal.com with the address of Bitpay web servers, or that your DNS servers (as shown in ipconfig and nslookup www.paypal.com are returning the wrong results.

– user1686 – 2014-07-24T12:21:12.237

It does not have to be the ISP DNS, it could also be the WIFI Router. – Martin Ueding – 2014-07-24T20:02:27.913

Indeed. That's actually scarier, and highly targeted. @TomGullen, are you using Wi-Fi? If so, is it unsecured (or WEP-"secured")? – Valmiky Arquissandas – 2014-07-24T20:14:42.680

@ValmikyArquissandas in the router page it says Authentication method: WPA2-Personal, WPA Encryption: AES and a WPA-PSK key has been set. Is that what you meant? – Tom Gullen – 2014-07-24T20:43:24.193

Just to be clear as well, we have a ASUS router, and a Virgin Media modem. I might try taking the router out the network and connecting directly to the modem to see if the problem persists (if it does, it's not the routers fault) – Tom Gullen – 2014-07-24T20:50:31.827

@TomGullen you can also try to set the DNS manually on the router to 8.8.8.8 – Aron – 2014-07-25T09:35:37.730

6

  1. On a trusted third-party computer that is not connected to your internet connection, download Ubuntu or something similar and slap it on a thumb drive or DVD.
  2. Boot this live operating system.
  3. Try to access PayPal from this environment
  4. Run dig paypal.com and post it here (not sure whether dig is available by default though)

If you still experience problems, it’s likely your router had its DNS services manipulated. This is possible when the router’s web interface has bugs which allow changing settings without authentication.

Sample output for comparison:

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27146
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;paypal.com.                    IN      A

;; ANSWER SECTION:
paypal.com.             300     IN      A       66.211.169.66
paypal.com.             300     IN      A       66.211.169.3

;; Query time: 8 msec
;; SERVER: 108.59.15.5#53(108.59.15.5)
;; WHEN: Thu Jul 24 15:30:13 2014
;; MSG SIZE  rcvd: 60

Last but not least, the redirect doesn’t make too much sense: After all, BitPay is not grabbing PayPal credentials.

Daniel B

Posted 2014-07-24T11:35:38.307

Reputation: 40 502

Thanks for answer, changed my DNS to google (8.8.8.8) and all seems fine now. Any ideas why this is, what reason why it did this? – Tom Gullen – 2014-07-24T13:55:02.403

That is creepy. What was your DNS before? Your ISP's? They may have suffered a DNS cache poisoning, or may just have RAM problems that mixed up cache entries. But I suspect the former. – Valmiky Arquissandas – 2014-07-24T14:09:48.590

It was default which I'm assuming is my ISP's (Virgin Media). – Tom Gullen – 2014-07-24T14:10:47.747

(I updated my answer above) – Valmiky Arquissandas – 2014-07-24T14:13:54.580

"bugs" - I think you meant backdoors… – strugee – 2014-07-24T16:59:51.083

@strugee Not necessarily, no. It’s just that most administration interfaces (for anything, really) are extremely low-quality. – Daniel B – 2014-07-24T17:23:14.433

1

Yeah, about that: http://www.v3.co.uk/v3-uk/news/2356520/defcon-white-hat-hackers-declare-war-on-soho-routers :)

– Valmiky Arquissandas – 2014-07-24T17:25:07.070

Asked: 2014-07-24T11:35:38.307

Viewed: 3 097 times

Active: 2014-07-24T14:13:20.493