"Firefox blocks the access to site, I think most of other browsers do not."
www.paypal.com returns a valid certificate. Chromium based browsers redirect to there. Firefox doesn't redirect there unless you first visit www.paypal.com. Once you have visited www.paypal.com in Firefox, paypal.com gets redirected there.
This is not my area of technical expertise so why things get redirected one way versus the other I don't know, this is just the behavior I have observed.
I also noticed that even though Firefox would start redirecting to www, I could then delete the www and force it to try to go to https://paypal.com anyway, at which time I would receive the revocation error.
Edit: Figured it out more reproducibly. https://paypal.com gives the revocation error. https://paypal.com/ redirects to www, although clicking on these links acts the same and tries to use the revoked cert
Yes, to an extent, but given the state of certificate revocation, some might say this is "by design".
There are 2 main ways to revoke a certificate - one is by listing it on a certificate revocation list (CRL), whose URL is inside the CA certificate. This means to check the CRL, the client leaks their IP to the CA operator every time they check. The list of revoked certificates can be as long as the list of certificates issued which are still unexpired - that could be a large download, and you'll need to refresh it periodically.
A lot of implementations don't bother using CRLs as a result.
The alternative is OCSP, where you can query (in real-time) with the CA whether a given certificate is still valid or not. This means you're revealing which certificate you're checking, so you're telling a third party every time you visit a site. Since OCSP is just a way of getting a refreshed signed confirmation the certificate isn't expired, OCSP stapling is an option, where your web server requests a timestamped OCSP statement and serves it to all requesters - they can check the signature on the OCSP response, and know the certificate wasn't revoked at the time of the CA-signed timestamp.
OCSP stapling solves the privacy issue of leaking the sites you visit in real time, and also avoids browsers having to fetch a large CRL list regularly.
Revocation is a challenge any time you do certificates or signed data - same with JWT/Paseto - in a distributed system a signed bearer token can solve state sync challenges, but then your new state sync challenge is syncing token revocation!
It gets so big that people lose their ability to care. It's easy to care when you know your boss and your decisions can affect the 40-50 people at your company. When its thousands, you no longer care.
There's a redemption grace period where the owner (and only the owner) can renew the domain. After that, anyone can pick it up, but accidentally letting a domain expire is "only" some downtime, and if you didn't notice during the month of grace period then it's probably okay to expire.
They decided that they are the moral police and will directly fine customers for being mean on the internet or doing anything else they alone decide they don't like.
Did you read any of the attached? They have banned people for no reason and decided the money in their account was forefit as a result, all of these things they have "actually done", I'm not sure what more you'd hope for them to do before declaring it bad?
Updating user agreements with nonsensical statements, threatening users with "fines" without involving the court system at all? Declaring themselves capable of deciding what's acceptable internet conduct for their users to engage in?
If these and all the attached threads don't seem like a red flag to you at all, I'd question what the hell does?
> If these and all the attached threads don't seem like a red flag to you at all, I'd question what the hell does?
Everything described seems perfectly normal, it’s like this no matter which bank you work with. Paypal just attracts a lot of people who haven’t worked with payment processing before, so this naturally comes as a shock to them.
Status Quo != Acceptable, even if other payment processors decide they are doing the same thing, PayPal also operates in large as a wallet of sorts, meaning it's not only commercial companies but users who are affected by this. Unclear writing means PayPal could "at their sole discretion" decide you tweeted (for example) something they didn't like or deemed against their user agreement and without involving the law at all just fine you for it?
My personal bank has no such clauses in their user agreement, nor anything apart from their compliance with legal requests to freeze accounts. For users who treat PayPal like a sort of bank, this is a problem.
I'd also like to see the clauses in Stripe, Square, etc agreements that parallel PayPal's position that they can decide who is doing mean things on the internet and fine them for it.
When you connect to PayPal, how do you know it is actuality PayPal?
Well, they show you a certificate saying that they are.
Why would you trust that certificate?
Well, it was issued by someone you trust already, some sort of authority.
The authority can revoke certificates they issued before, that may happen for all sorts of reasons.
It appears they have blocked or rate limited qualys for scanning them too much, but testssl [1] still works. I am not worried about being blocked since I just closed my account from 2001.
The only serious warning I see is "Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat (6 attempts)" They otherwise get an "A+".
Perhaps they have wan accelerators or anycast proxies with bad certs that are region specific?
Firefox blocks the access to site, I think most of other browsers do not.
reply