PayPal SSL error (ERR_CERT_COMMON_NAME_INVALID) Chrome, Opera, IE

I'm running Windows 8.1 Pro, almost clean OS with Norton Internet Security v. 21.5.0.19 protected. I've strange issue on Google Chrome v. 37.0.2062.124 m and Opera 24.0 while trying to visit PayPal website. The problem is that SSL certificate common name (CN) doesn't match PayPal.

Google Chrome error page:

enter image description here

Opera error pop-up:

enter image description here

Google Chrome and Opera certificate information:

enter image description here

The most interesting part that Firefox v. 31.0 and Safari 5.1.7 works like a charm:

enter image description here

My system, router and bios date and time are correct. I've tried to use google DNS IPs as well as DNS of my internet provider. I've no extensions. Hosts file is clean. Have no idea why is the problem occurs. Help me please. Thank you! :)

UPD: Still have this issue. :( SSL "Issued to" field has different values time to time (I even had google.com when used 8.8.8.8 DNS) but PayPal doesn't open. Sometimes it let me login and even press couple buttons but after that I back again to SSL error. Same issue when using IE.

I've no malwares;
System, bios, router time and date are absolutely correct;
Host file is clean;
Cache is clean;
Everything is up to date.
Tried ipconfig /flushdns; - Interesting situation here. PayPal with a 50% chance open after executing this command. But after a short time, like few buttons press or let's say 3 minutes you receive SSL error and can't continue viewing a website. And the most interesting part that the "Issued to" differs time to time too. This happens both with my provider's default DNS and google DNS servers.
I tried to completely disable Norton Internet Security;
I tried to visit https://66.211.169.66/ instead PayPal, but I've the same error (but the "issued to" seems to be correct this time "paypal.com");

UPD: List of all Certificates under "Trusted Root Certification Authorities" tab:

enter image description here

Complete Norton Internet Security removal has nothing changed. But one important thing. I'm using router Asus WL520gc connected via wire. I tried to connect cable directly to my PC, set up simple VPN connection and PayPal finally start opening. My router settings are pretty simple, everything is disabled, except VPN and manual IP assign for wireless devices. I've absolutely no idea what an issue can be. Mobile devices connected through this router open PayPal perfectly. And seems like the problem is with PayPal only cause another https connections cause me no problems as I remember.

And I have no plugins for browsers at all. I do pay attention for things I install on my PC and that's why I've no plugins, toolbars etc.

Now I've the same issue with Safari browser as well. :(

enter image description here

I can't catch when it appears. Cause the same time it works now in Chrome but doesn't work in Safari. And in 3 minutes or so Chrome shows certificate error again.

PayPal is working for me now, please see a tracert route:

enter image description here

Certificates looks different for https://66.211.169.66/ and https://www.paypal.com websites:

enter image description here

OK, it doesn't work again! Now "Issued to" is google.com:

enter image description here

But the screen is still the same if I visit https://66.211.169.66/ as on previous screenshot.

Tracert looks now like this:

enter image description here

And nslookup looks the same for working and non-working states:

enter image description here

After a reconnect "Issued to" changed to ad.yieldmanager.com (I've never seen this website before):

enter image description here

After a couple more reconnects - PayPal works but ping looks like this:

enter image description here

Important UPD. Now I see the problem persist at all devices connected through my router! DNS is currently set to 8.8.8.8. And certificate is issued to google.com. If change DNS to automatic "Issued to" gonna change to any random address mentioned above. See a screenshots from Android device connected via Wi-Fi. It's a default browser.

Mike

Posted 2014-09-25T13:37:15.833

Reputation: 517

2Uninstall Norton and remove any plugin, it installed within chrome or opera. – davidbaumann – 2015-03-03T20:42:17.960

Does this only happen when you try to access PayPal over HTTPS? Do you notice similar problems when visiting other websites (say, Gmail) over SSL? Also, did you check your certificate store to see if you recognize any unwanted root certificates? The problem you're facing seems similar to the SuperFish incident. Could you run certmgr.msc and add the list of all Trusted Root Certification Authorities to your question? Order the list by Expiration Date so anomalies are easy to pick out.

– Vinayak – 2015-03-06T23:13:50.957

I think the reason why it works well in Firefox is because Firefox has its own certificate store and doesn't rely on the Windows cert store to validate SSL connections. Chrome however, does. As does IE. I guess Safari maintains its own root cert store as well. Maybe, this test might help. Opera used to have it's own cert store too, but not anymore

– Vinayak – 2015-03-06T23:33:40.880

Please see my UPD.. – Mike – 2015-03-07T14:07:02.157

What do you see when you do a tracert 66.211.169.66? – Vinayak – 2015-03-07T16:37:24.303

Also, could you show what the certification path looks like? – Vinayak – 2015-03-07T16:50:48.027

Could you verify that the thumbprint of VeriSign Class 3 Public Primary Certification Authority - G5 is indeed ‎4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5? In the certification path, can you confirm that VeriSign Class 3 Public Primary Certification Authority - G5 is the root certificate used to issue the certificate for VeriSign Class 3 Secure Server CA - G3? You can check that like this. Could you also provide the output of nslookup paypal.com?

– Vinayak – 2015-03-07T23:32:04.750

1I also just noticed that your first screenshot says your connection to PayPal is encrypted with 112-bit encryption which looks very suspicious to me. I've never seen that before. I usually see 128 or 256 bit encryption. And my connection to PayPal is indeed encrypted with 128-bit encryption using TLS 1.2. Have you tried updating to the latest version of Google Chrome and then visiting PayPal again? – Vinayak – 2015-03-07T23:56:56.323

Please see my UPD. – Mike – 2015-03-08T11:58:12.660

Mike, the ping results are fine. That's a valid PayPal host. Are you using a VPN to access websites (including PayPal) on your computer?

– Vinayak – 2015-03-08T13:32:24.903

I just found out about this which looks quite similar to the issue you're facing (note the certificate for josbank.com when visiting docs.google.com). Unfortunately, it's in Chinese and Google Translate doesn't help much so I can't make out what the problem is, but it seems it might be VPN related.

– Vinayak – 2015-03-08T13:43:26.120

@Vinayak yes I'm using VPN at my router (PPPoE) connection without encryption. IP/DNS automatically. MTU/MRU set to 1492. "Issued to" field changed if I play with DNS - set Manual (8.8.8.8 / 8.8.4.4) and back to automatically. But I can't catch the actual issue and can't represent the issue by my wish. It's just random. – Mike – 2015-03-08T13:44:29.100

Can you try visiting PayPal without a VPN and see if you still get the CERT_COMMON_NAME_INVALID error? – Vinayak – 2015-03-08T13:45:33.557

The problem is that my internet provider don't let me visit any web sources without established VPN connection. I mean once it's disconnected - I've only local internet avail. Like my billing panel and provider website. – Mike – 2015-03-08T13:49:31.523

You said PayPal opens fine on mobile devices connected to your Wi-Fi? Do they fail to open at random times like with Chrome on your computer? Also, could you connect to a separate VPN after you've connected to your ISP's VPN? For instance, what happens of you access PayPal through CyberGhost VPN?

– Vinayak – 2015-03-08T13:59:08.560

@Vinayak I have the same issue at a mobile device! Please see my upd. And yes it seems to work fine via CyberGhost. – Mike – 2015-03-08T14:17:54.873

I think that pretty much tells us everything we need to know. The problem lies with the router. Specifically, with the DNS settings or the VPN, I'm not sure yet. You can try switching to a different DNS server like OpenDNS or CyberGhost's DNS and see if that makes a difference. If not, it has to be the ISP's VPN, in which case you'd have to contact your ISP.

– Vinayak – 2015-03-08T14:36:31.687

In the meantime, you could also try using CyberGhost VPN (or any other VPN of your choice) for a while and keep visiting PayPal at random times to see if the certificate problem recurs. If it does not, you know there's something's wrong with your ISP's VPN. Also, a router reset might be in order. – Vinayak – 2015-03-08T14:46:28.103

@Vinayak Thank you so much for your time and help. I see the problem is somewhere between my router and ISP. I will also try firmware update, maybe a new router, and finally I will try to contact my ISP. Can you please resume all of your final thoughts as an answer, I would like to accept it, cause I'm not sure it's possible to help me more than you did and I appreciate it. – Mike – 2015-03-08T15:27:57.287

Answers

Since all devices connected to the Wi-Fi router are now affected, the problem must lie with the router. A router reset might help fix the problem. If it does not, changing the DNS settings might (e.g. Google DNS or OpenDNS).

If changing the DNS settings doesn't help either (which seems to be the case), I'd assume the problem lies with the ISP's VPN connection that you're required to connect to before you can access the Internet. In that case, you'd have to contact your ISP and let them know about the issue and they'll fix it.

In the meantime, you can connect to a third-party VPN (e.g. CyberGhost VPN) after you've connected to your ISP's VPN and hopefully that'll fix the problems you're facing.

You might also want to confirm that the problem lies with your Wi-Fi connection by connecting a device you know is clean to your Wi-Fi and then visiting PayPal.com on that device. If you still get a ERR_CERT_COMMON_NAME_INVALID or similar errors, you can be sure that your router/ISP is the troublemaker.

Vinayak

Posted 2014-09-25T13:37:15.833

Reputation: 9 310

I believe that your computer was somehow been hijacked, even though the antivirus cannot identify the infection.

The certificate you display for paypal.com is in fact on the name of ebayclassifieds.com, which is a legitimate website. However, checking the certificates of both these websites thru the DigiCert SSL Installation Diagnostics Tool gives normal-looking details.

While if you look in the details of the certificate you posted, you will see that the date of validation is 20 января 2013 to 20 января 2015. Now января is January in Russian, while the certificates of paypal.com and ebayclassifieds.com are issued by VeriSign and Symantec and are valid respectively from 16/Apr/2014 to 07/Jun/2016 and from 01/Dec/2014 to 21/Jan/2017.

As all your screenshots are in English, I assume that you are not from Russia, and therefore the displayed details are bogus. (If you are in fact from Russia, some of my conclusions below are incorrect.)

The certificate you posted is in fact elapsed, which is impossible for a website such as ebay, and the part in Russian is also quite suggestive.

My advise is not to use your computer for doing any financial transaction or consultation!

The virus you are infected-with has apparently Russian origin. It looks like it is trying to redirect your browser into its own Paypal-clone website using falsified certificates. Apparently the virus has some bug or is not (yet?) well-installed, which is your great luck. According to what you say, it has infected some browsers on your computer and has succeeded in infecting some additional browsers.

As the antivirus is apparently helpless to eradicate this virus, I would advise to reformat your hard disk and reinstall Windows and all your applications. Take full backups of your personal data first, of course (but no point in taking any disk-image backup).

You will need to take more precautions against infection once the situation returns to normal, but that's another story.

As other devices at your place are functioning normally, I assume that the router itself has not been hijacked.

harrymc

Posted 2014-09-25T13:37:15.833

Reputation: 306 093

According to Qualys SSL Labs the 3 PayPal IPs (that Qualys detected) were either signed using VeriSign or DigiCert certificates. Only EbayClassifieds was signed by Symantec.

– Vinayak – 2015-03-07T23:08:41.020

@Vinayak: Interesting tool. But also according to what you say, the paypal.com site doesn't use a certificate on the name of ebayclassifieds.com. – harrymc – 2015-03-08T08:32:48.470

No, it doesn't. I don't think that would be possible either as it would cause a name mismatch error like the one OP experienced. I'm not sure what's happening here but from looking at the first screenshot (112-bit encryption) and the dissimilar issuers for EbayClassifieds, it does seem like a hacking attempt. Maybe if the OP could look at the certification path and post the root certificate used to issue the certificates for EbayClassifieds and PayPal, we could compare it with the original root certs and determine if the root cert was tampered with. – Vinayak – 2015-03-08T08:46:35.637

Thank you for your answer, I live in Russia at this moment. Right now PayPal works fine in all of my browsers, but I will wait a bit until it will stop working again. Then I will post a tracert data and Certificate path. – Mike – 2015-03-08T10:13:12.470

@Vinayak: Wonderful find Qualys - thanks. No idea why both our tools see different certificates, but the one reported by the poster is not one of them. It seems to be older, with validity 2013-2015, while both our tools report validity from 2014. There have been reports of CAs being hacked so resulting in bogus certificates, and I'm wondering if this is one of them. In that case the root certificate will be correct, but the dates will be older since the CA breaches were in the past. The hackers may only have bogus certificate for ebayclassifieds, not paypal, and are using what they have. – harrymc – 2015-03-08T10:14:03.800

@Mike: Regard the details of the certificate that is now being reported for paypal, if they concord with my tool or that of Vinayak. The virus may have updated itself with a better version, but it is also possible that an update to your antivirus has nullified it. Be on the lookout for bogus transactions on paypal, even small ones, for the next few years. And change your paypal password now. After such an episode I would in your place still feel uneasy about using that computer, so be vigilant. – harrymc – 2015-03-08T10:22:33.067

@Mike: Also deep-scan your computer with the free version of Malwarebytes Anti-Malware, just in case, as well as with your installed antivirus.

– harrymc – 2015-03-08T10:28:33.807

@harrymc just did a deep-scan - not a single threat detected. But I'm sure I will have the same issue with certificated in couple minutes/hours. Please see my tracert how it looks like now. – Mike – 2015-03-08T11:05:06.297

Paypal seems to have an enormous network of servers - not surprising. But most traces I did seem to converge to the same address segment as your tracert, so it seems legit. The certificate you posted also looks now the same as that reported by Qualys. If you have again the same issue, get immediately the certificate details and tracert. – harrymc – 2015-03-08T11:44:01.587

See my UPD. When it was in working state my PayPal cert was issued by VeriSign and dates are differ with Qualys, no? – Mike – 2015-03-08T11:59:30.760

The certificates you see are in my opinion completely bogus. I still think you are infected. The virus keeps on evolving, which makes it much more dangerous. My recommendation still stands. – harrymc – 2015-03-08T13:13:32.093

@harrymc can you please share with me a screenshot of how the actual PayPal certificate should looks like for paypal.com? – Mike – 2015-03-08T13:30:42.123

1pic1 and pic2. – harrymc – 2015-03-08T13:48:46.703

@harrymc Thank you. And when you visit https://66.211.169.66/ you get just at paypal.com instead?

– Mike – 2015-03-08T13:51:31.537

I get warning : "This Connection is Untrusted. You have asked Firefox to connect securely to 66.211.169.66, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified." Evidently this is not Paypal. – harrymc – 2015-03-08T14:34:44.687

More: whois says that this address comes from inside the ebay network which has the range of 66.211.160.0-66.211.191.255. This explains where the certificate from EbayClassifieds comes from. I suspect that these hackers have taken over some server on that network and are using stolen certificates to infect more computers like yours. You might be too small a fish for them to bother with, but take great care! This looks now more like organized crime than a small hacker. Take steps before they take over more devices at your place. – harrymc – 2015-03-08T21:32:38.363

I see that you prefer accepting an infection in the router rather than in your PC. However, if external router access from the Internet with the default password was not enabled by you (extremely unlikely to be on by default), then the likelier scenario is an infection of your PC, which has extended itself to the router in order to infect all devices. Why would router infection affect only one PC? The virus might still be hiding on your computer, and if you have more computers then on them too. – harrymc – 2015-03-09T14:24:36.950

I am also facing the same problem while browsing youtube.com. What was the solution you adopted ? – Shyamkkhadka – 2020-01-14T05:50:09.790