PayPal & HTTPS

[Cycloid Torus]

I use Chrome for a browser, but also have Firefox & IE(rarely used). All are up to date. I have HTTPS Everywhere, FlashControl, Adblock Plus, Avira Browser Safety. I have no problems reaching websites (eBay, Staples, BBC, my broker, TechSpot, etc. I am having problems getting to PayPal, and once there (after 6-8 tries on Chrome and Firefox), I can have real problems logging in. Mostly the address bar complains about 'no https' ("failedBecause=securityTokenError" - see #1) between the login attempt and actually logging in, it pushes me back to the login screen to try again - though I cannot imagine running a financial site like PayPal without https throughout. On occasion I get a series of "Privacy Error" notices which basically says Chrome / Firefox will not let me proceed because there is something wrong. The most troublesome is #3, when I get on the PaypPal website and HTTPS is 'green' and I link to login screen (still 'green') and I submit name and password for login and then https crashes and it appears there is a fraudulent certificate which involves "pixel.mathtag.com" (pop-up malware a/k/a Azureas).

I have spoken to techs at PayPal and have been told "we don't see any login attempt - so not our problem". Of course that is true because the login is PREVENTED due to irregularity in the security.

When https is broken, whose problem is it?

 

[DelJo63]

Clear all cache and browser history.
quit the browser and then restart it.

Now test:

1. paypal with this link: https://www.wormly.com/test_ssl
2. https://msp.f-secure.com/web-test/common/test.html
3. https://www.digicert.com/help/

 

[Cycloid Torus]

Thanks for direction- taken:


wormly - only exception

TLS Stateless Resume / Session Tickets
TLS Session resumption allows the reuse of a recently valid TLS session ticket - improving performance for clients making multiple requests in much the same way as SSL session caching does.

This improves performance from the clients’ perspective, because it eliminates the need for a new (and time-consuming) TLS handshake to be conducted each time a request is made.

A significant difference between TLS stateless resumption and SSL session caching is that TLS stateless resumption does not require the server to cache SSL session keys, which reduces the memory burden on the server to support large numbers of clients.

If the client or server does not support TLS session tickets then a new session must be established for each request. Most modern clients and server support this feature, so be sure to enable it on your secure web server.

comment: not such a bad thing - means I have to get each instance tested (I guess)


F-Secure: able to access

digicert.com - clear

Ran adware cleaner - no issues

Haven't run JRT in a while, so I might dig up a current copy and try that...but I was wondering if it was some type of Man in the Middle since it woul appear for awhile and then not for awhile

 

[Cycloid Torus]

Tried same in Firefox - all 3 tests worked fine - same TLS stateless exception

BUT when I tried to reach PayPal, while I could get to home and it was secure, when I tied to login I got the following "failure" in the address bar - securityTokenError

 

[Cycloid Torus]

So I went back to Chrome and googled 'security token error papal' and tried the first link:


which then led to:



So I have made the entire round trip and am back at 'broken https'

 

[Cycloid Torus]

Clear all cache and browser history.
quit the browser and then restart it.

Did all you suggested - all clear. Next steps or is this a Man-in-the-Middle attack?

 

[The Owl]

I use IE to log in with no problems try it might be Chrome playing silly buggers

 

[Cycloid Torus]

I use IE to log in with no problems try it might be Chrome playing silly buggers

Could be silly buggers - or maybe something serious - only Clive knows...

 

[DelJo63]

My thought is you need updated certificates and to drop the old, now unsupported ones

 

[Cycloid Torus]

My thought is you need updated certificates and to drop the old, now unsupported ones

I cleared cache, is there more to it than that? I'm a tinkerer (not a software jock, though I did a bit of programming on a 7094).

 

[DelJo63]

Please see https://support.microsoft.com/en-us/kb/3004394
also note you may need to install update 3024777.

 

[Cycloid Torus]

Please see https://support.microsoft.com/en-us/kb/3004394
also note you may need to install update 3024777.

Puzzled. 3004394 installed 12/10/14. 3024777 installed 12/13/14. ("problem fixed"). Then AGAIN 3004394 installed 2/11/15 (latest update).

Is this a new 3004394 or the old one? Should I apply the 3024777 fix AGAIN?

Win7 Home Premium (updated); Chrome (updated).

 

[Cycloid Torus]

Another slant: https://cheapsslsecurity.com/blog/google-chrome-ssl-certificate-errors-troubleshoot-guide/

"Main reasons behind SSL Certificate Error on Google Chrome are:

(1) The System Time is not the real-time.

(2) The SSL certificate has Expired.

(3) Google Chrome is not updated.

(4) The SSL certificate is not Installed properly.

(5) The SSL certificate is not issued by a Trusted Certificate Authority (CA) or a self-signed certificate is used to secure a website.

(6) The website is secured with an outdated 128-bit SSL.

(7) The website is secured with an outdated SHA-1 Algorithm."

On my end, the problems could be 'bad time' on my system clock (mine is NIST) and 'out of date' browser (updated 3 times in last 2 weeks). Maybe we add 'bad windows update'.

Sorry if I'm a bit burned out. Up all night with a sick furnace in -20C weather.

 

[DelJo63]

• Puzzled. 3004394 installed 12/10/14. 3024777 installed 12/13/14. ("problem fixed").
  
• Then AGAIN 3004394 installed 2/11/15 (latest update).
• 
  
• Is this a new 3004394 or the old one? Should I apply the 3024777 fix AGAIN?
• 
  
• Win7 Home Premium (updated); Chrome (updated)

.

Likely to repeated use of the 3004394 identifier (eg v1,v2,v3 ...) to track currency of the certificates.

3024777 should not be required UNLESS you have an issue.

 

[Cycloid Torus]

Likely to repeated use of the 3004394 identifier (eg v1,v2,v3 ...) to track currency of the certificates.

3024777 should not be required UNLESS you have an issue.

Don't have the specific error, so will not run the fix.

I guess it looks like PayPal's problem - at least until the dying certificate expires.

 

[DelJo63]

That bothers me, as others are using PP - - so I would question your PC. Have you tried accessing via a mobile device?

 

[Cycloid Torus]

Don't own one. Just was able to sign in at PayPal and at PayPal tech support - as if nothing had happened.

Then I tried an incognito Chrome and was told PayPal wouldn't accept https

"
Windows Network Diagnostics
Publisher details
Issues found
The remote device or resource won't accept the connection
The remote device or resource won't accept the connection
The device or resource (www.paypal.com) is not set up to accept connections on port "https".
Detected

Contact your network administrator
Completed
Issues found
Detection details
6
The remote device or resource won't accept the connection
Detected

The device or resource (www.paypal.com) is not set up to accept connections on port "https".
Contact your network administrator
Completed
The computer or device you are trying to reach is available, but it doesn’t support what you’re trying to do. This might be a configuration issue or a limitation of the device.
Detection details

Network Diagnostics Log
File Name: 7D22A6E3-9FAF-47F7-94E3-D4E0C1ED6A05.Diagnose.0.etl

Other Networking Configuration and Logs
File Name: NetworkConfiguration.cab
Collection information
Computer Name: BOSSPC
Windows Version:
6.1
Architecture:
amd64
Time:
Monday, February 15, 2016 2:10:30 PM
Publisher details

Windows Network Diagnostics
Detects problems with network connectivity.
Package Version:
1.0
Publisher:
Microsoft Windows

Puzzled.

 

[DelJo63]

OK, Chrome fails, Try IE and/or Firefox

 

[Cycloid Torus]

Ran malwarebytes - nothing. CMD - ipconfig /dnsflush (oops, /flushdns) - connected https with PayPal.

Lets say it is DNS - my ISP, Cablevision - what should I do?

 

[DelJo63]

(1) likely you made a typo; it's IPCONFIG /FLUSHDNS (not dnsflush)

get a cmd prompt and test with NSLOOKUP PAYPAL.COM

I get:

• Non-authoritative answer:
• Name: PAYPAL.COM
• Addresses: 66.211.169.3
• 66.211.169.66

 

[Cycloid Torus]

Currently just the same - and able to sign in at paypal.com - will test this way if error appears.

Thanks!

ps Called my ISP and they will take a look too.

 

[Cycloid Torus]

Problem is back..and worse in a way. I entered the IP (both of them) for paypal and was told

"Your connection is not private
Attackers might be trying to steal your information from 66.211.169.3 (for example, passwords, messages, or credit cards).

NET::ERR_CERT_COMMON_NAME_INVALID
Subject: paypal.com

Issuer: DigiCert SHA2 High Assurance Server CA

Expires on: Dec 16, 2016

Current date: Feb 15, 2016"

I dumped dns cache into a text file and found
"
www.paypal.com
----------------------------------------
Record Name . . . . . : www.paypal.com
Record Type . . . . . : 1
Time To Live . . . . : 8201
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 54.221.204.162"

Which is NOT paypal, but it is https://www.wormly.com/ instead


It seems to say that the issue is beyond me...any help would be appreciated.

 

[Cycloid Torus]

Another thought - what program or service created the local DNS cache - if there were a problem with that - what is it? -how could you test it? - how could you fix it?

 

[The Owl]

That sounds like you have been hacked and have a redirect in your machine for paypal but without being there

 

[Cycloid Torus]

Poking around further I think I have discovered something - but do not know what to do about it. Apparently, Google DNS cache is getting the IP for PayPal mixed up with other IPs in the local machine DNS resolver. I also imagine that if I knew Firefox, I would find something similar going on there. See the screenshot below and let me know what you think.