19

Trying to buy some games from GoG, click Paypal and Chrome shows me this page:

enter image description here

I'm not entirely sure how to work out what's going on here. I am a Bitcoin user so my immediate fear is my network/computer has been compromised somehow.

Any help appreciated.

Other browsers
Fails to load in Chrome, and iPhone over Wifi.
Loads fine on PC in FF/IE, and loads fine on iPhone over 4g

Copy of the .cer file:
https://www.dropbox.com/s/wg5oczk8wgyjjcr/paypal_bitpay.cer

What I've tried

  • Reinstalled Chrome (no help)
  • Run full virus scan (no threats)
  • Run Malwarebytes scan (no threats)
  • Updated router to latest firmware
  • Changed all router passwords
  • Cleared SSL state on machine
  • Wiped Chrome cache completely

Problem still persists!

Fixed

Changed DNS to Google's (8.8.8.8) and it works now. Any ideas why this is so?

Tom Gullen
  • 215
  • 1
  • 4
  • 18
  • Unless you came from the BitPay website the certificate that you provided a screenshot of is not [PayPal's SSL Certificate](http://i.stack.imgur.com/Bfiw3.png). You should always trust a browser when it says the website your trying to vist isn't safe if its a secure http connection. – Ramhound Jul 24 '14 at 11:41
  • @Ramhound, I understand, but I'm really confused about what could possibly be causing this right now – Tom Gullen Jul 24 '14 at 11:42
  • It sounds like you are infected with Malware. I provided the actual certificate for PayPal. Chrome uses the certificate store of the operating system, so if thats been infected with an invalid certificate, IE will present the same certificate when you vist [PayPal](https://www.paypal.com/home) – Ramhound Jul 24 '14 at 11:45
  • What's the date and time on your computer? Check it against an online source for your town/country. Your computer should be "to the minute"... – Kinnectus Jul 24 '14 at 11:49
  • @BigChris I'm in London and my computer time is showing the correct time. TimeZone is set to (UTC) London – Tom Gullen Jul 24 '14 at 11:51
  • 1
    I am interested if IE detect the same certificate. You don't even have to log into your account. Just go to PayPal and click on the lock, the details of the certificate and its path, should in the dialog box that appears. – Ramhound Jul 24 '14 at 11:57
  • @ramhound loads fine in IE, here's a screenshot: http://i.imgur.com/b2qDTxk.png It's probably the first time I've ever opened IE on this computer though if it makes any difference. – Tom Gullen Jul 24 '14 at 12:03
  • For what it's worth, the current PayPal certificate has this SHA1 fingerprint: `08:4B:E8:76:96:82:23:68:28:D8:E9:DC:55:90:1E:53:E8:EB:84:32` and was issued by VeriSign. – Cristian Ciupitu Jul 24 '14 at 12:04
  • @CristianCiupitu I get that in IE. Would this suggest it's probably not a network issue/MITM? – Tom Gullen Jul 24 '14 at 12:06
  • 1
    Do you have any extensions installed that have gone wrong? – Kinnectus Jul 24 '14 at 12:07
  • The first step would be to delete your Chrome profile and see if this still happens. If it does verify the behavior happens in Firefox and IE. You are using the current version of Chrome right? Chrome recently made a change to make the "address bar" more friendly. Its possible that while it indicates `https://www.paypal.com` that you are not actually on that website. – Ramhound Jul 24 '14 at 12:08
  • **We have not ruled out a MITM attack at this time** – Ramhound Jul 24 '14 at 12:09
  • @BigChris the same happens in incognito mode which I believe disables extensions? Only extensions I have installed are adblockplus and reddit enhancement suite. – Tom Gullen Jul 24 '14 at 12:10
  • @Ramhound I'm using Chrome 36.0.1985.125m Will delete Chrome profile and see what happens. – Tom Gullen Jul 24 '14 at 12:11
  • Just resintalled Chrome completely, no addons fresh install. Problem persists. – Tom Gullen Jul 24 '14 at 12:26
  • My iPhone over wifi can't establish a connection to Paypal.com, error is "Safari cannot open the page because it could not establish a secure connection to the server" – Tom Gullen Jul 24 '14 at 12:30

2 Answers2

23

I don't think we need to say this, but do not accept that certificate.

Either something is wrong with your connection and you have a man in the middle, or something went terribly wrong on your browser, or some application server at PayPal was compromised.

Since everything looks normal from here, and the certificate is legitimate, don't trust whatever is on the other side.

Can you download the certificate and share it with us, out of curiosity?

Are you using a proxy somewhere? Even if you think you aren't, can you check your network and browser configuration to find it out? You may have malware installed or are using a rogue proxy.

Since the problem was fixed by changing the DNS server to Google's, I wonder what was your DNS server. It may have suffered a DNS cache poisoning, or RAM problems in the server may have mixed up cache entries. But I suspect the former: maybe your ISP has suffered an attack. The output of the host or dig commands, directed at the server, may be useful to debug.

dig www.paypal.com @8.8.8.8

dig www.paypal.com @(your DNS server)

host www.paypal.com 8.8.8.8

host www.paypal.com (your DNS server)

Also: if even your iPhone was having similar problems, the problem is most certainly in your ISP's DNS server. I'm not sure how effective it will be to warn them, but it may be a good idea.

Valmiky Arquissandas
  • 1,855
  • 16
  • 23
  • Thanks for the reply, would be happy to share to certificate but am unsure how to go about doing this. Not knowingly using a proxy, and again am unsure how to check everything to confirm this. – Tom Gullen Jul 24 '14 at 11:43
  • @TomGullen: go to the Details tab, you should have an "Export" button. Then you have to upload it somewhere (people usually give a public link to a Dropbox; that should work). – Valmiky Arquissandas Jul 24 '14 at 11:44
  • Here we go: https://www.dropbox.com/s/wg5oczk8wgyjjcr/paypal_bitpay.cer – Tom Gullen Jul 24 '14 at 11:47
  • 1
    The certificate seems to be valid; it is in fact identical to the one used by `https://www.bitpay.com`. It could be that either your [`/etc/hosts`](http://superuser.com/q/525688/1686) file has been modified to include `www.paypal.com` with the address of Bitpay web servers, or that your DNS servers (as shown in `ipconfig` and `nslookup www.paypal.com` are returning the wrong results. – u1686_grawity Jul 24 '14 at 12:21
  • It does not have to be the ISP DNS, it could also be the WIFI Router. – Martin Ueding Jul 24 '14 at 20:02
  • Indeed. That's actually scarier, and highly targeted. @TomGullen, are you using Wi-Fi? If so, is it unsecured (or WEP-"secured")? – Valmiky Arquissandas Jul 24 '14 at 20:14
  • @ValmikyArquissandas in the router page it says `Authentication method: WPA2-Personal`, `WPA Encryption: AES` and a `WPA-PSK` key has been set. Is that what you meant? – Tom Gullen Jul 24 '14 at 20:43
  • Just to be clear as well, we have a ASUS router, and a Virgin Media modem. I might try taking the router out the network and connecting directly to the modem to see if the problem persists (if it does, it's not the routers fault) – Tom Gullen Jul 24 '14 at 20:50
  • @TomGullen you can also try to set the DNS manually on the router to 8.8.8.8 – Aron Jul 25 '14 at 09:35
6
  1. On a trusted third-party computer that is not connected to your internet connection, download Ubuntu or something similar and slap it on a thumb drive or DVD.
  2. Boot this live operating system.
  3. Try to access PayPal from this environment
  4. Run dig paypal.com and post it here (not sure whether dig is available by default though)

If you still experience problems, it’s likely your router had its DNS services manipulated. This is possible when the router’s web interface has bugs which allow changing settings without authentication.

Sample output for comparison:

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27146
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;paypal.com.                    IN      A

;; ANSWER SECTION:
paypal.com.             300     IN      A       66.211.169.66
paypal.com.             300     IN      A       66.211.169.3

;; Query time: 8 msec
;; SERVER: 108.59.15.5#53(108.59.15.5)
;; WHEN: Thu Jul 24 15:30:13 2014
;; MSG SIZE  rcvd: 60

Last but not least, the redirect doesn’t make too much sense: After all, BitPay is not grabbing PayPal credentials.

Daniel B
  • 60,360
  • 9
  • 122
  • 163