3

Firefox seems to be OK with it, but I don't want to log in on any browser in case I have some malware doing this. However I can't seem to find anything, so I'm not sure what it is.

Chrome says it's using TLS 1.2 and there are insecure resources on the page, apparently the site "loaded an insecure script". I am a bit scared to log in incase this is some kind of MITM attack. I already disabled all of my chrome extensions, just in case, but this is still here.

edit: just checked, other https pages seem to work in chrome, it's just paypal (that i know of) that's doing this.

  • Did you try clearing your browser cache? – Jonathan Gray Feb 24 '16 at 22:21
  • Just did, didn't seem to fix it. –  Feb 24 '16 at 22:22
  • can you post a screenshot of the error that Chrome is reporting? Which version of Chrome are you using? to find this do chrome://version/ – KingJohnno Feb 24 '16 at 22:35
  • am using 48.0.2564.116 (Official Build) m (64-bit), here's a screenshot: https://vgy.me/CcT2x1.png –  Feb 24 '16 at 22:38
  • If you click the lock it will give more information about the certificate and why it is red. Is it saying anything else other than the insecure script? –  Feb 24 '16 at 23:05
  • it says "Active Mixed Content You have recently allowed insecure content (such as scripts or iframes) to run on this site. View requests in Network Panel" –  Feb 24 '16 at 23:12
  • Do you have any browser extensions installed? If so, try disabling them. – Jonathan Gray Feb 25 '16 at 00:26
  • I already tried that. –  Feb 25 '16 at 00:37
  • 1
    Mine shows green Version 48.0.2564.116 (64-bit). You could have some plugin or extension that is loading insecure content. Open a incognito window and try. – jwilleke Feb 25 '16 at 12:23

1 Answers1

0

I believe the primary reason you are getting an error message regarding insecure resources is because Paypal is serving their favicon over regular http instead of https. Firefox and Palemoon do not give an error for favorite icons, but they do for other content.

This is funny to me because they serve the favicon several times, and one of them is https.

The other message regarding obsolete ciphers is most likely because of a separate MAC for message authentication, rather than using an AEAD cipher such as AES-GCM. This is less likely to raise an error and does not do so on most browsers unless RC4 is used.

Richie Frame
  • 1,890
  • 11
  • 12
  • Why do you say that? When I look at the page source, I see several links to `favicon`s, all of them are over `https`. And if you're right, why doesn't it give that error for me? – Neil Smithline Feb 25 '16 at 02:36
  • @NeilSmithline In the source I found 3 references through http and 1 through https, specifically on this page: https://www.paypal.com/signin/?country.x=US&locale.x=en_US – Richie Frame Feb 25 '16 at 02:41
  • I'm using Chrome and I don't have the issue – Jonathan Gray Feb 25 '16 at 03:27
  • I am also starting to think this is not the issue, the unencrypted resources are specifically for Internet Explorer application pinning, so Chrome would ignore that entire section of code – Richie Frame Feb 25 '16 at 22:20