www.paypal.com uses an invalid security certificate?

VirtualLarry

No Lifer
Aug 25, 2001
56,570
10,196
126
www.paypal.com uses an invalid security certificate.

The certificate does not come from a trusted source.

Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

---

Can someone else download Firefox Nightly, and tell me if they are seeing this error on Paypal? What's going on here? Is someone MITM'ing my hardwired internet connection?
 

esquared

Forum Director & Omnipotent Overlord
Forum Director
Oct 8, 2000
24,165
5,302
146
I don't know what FF Nightly is but I have FF that's up to date and I don't see any issues with your link.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,570
10,196
126
Firefox Nightly is the daily-build testing version, that's like 2-3 versions ahead of Firefox. I like cutting-edge code, but unfortunately, sometimes, there's breakage. I would like to know if this is just breakage, or if it's more advanced at detecting a MITM situation, and my internet has, in fact, been MITM'ed.

https://www.mozilla.org/en-US/firefox/channel/desktop/
 
Last edited:

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Try it with IE and see what it says. Get more info about the certificate like the date of issuance, common name, and cipher types. I can compare it with what I am seeing.
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Ah, makes sense. That was a long time coming and a result of the Symantec certificate authority being responsible for issuing EV certs erroneously at least twice in so many years so googles like "smell you later." And Mozilla is following suit..
 

VirtualLarry

No Lifer
Aug 25, 2001
56,570
10,196
126
Some ebay domains do that too. I guess they have Symantec certs too?

Will they ever update their certs, so I can use their sites, or did my browse-r pin the old "bad" cert locally, due to cert pinning, and the site already has a new cert, but I'm not seeing it? Is that possible?
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Yeah I would expect they use the same, being owned and operated under one umbrella now :) I would look for an about:config option to try to workaround this because it really doesn't enhance your security and if they were to RTW this change, it would cause a lot of headaches though at some point most likely the big websites affected would update their certs. For now since most stable release browsers are not affected, I would not expect many admins to make a move so your options are to ignore the warning, find a workaround, or use a stable build.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,570
10,196
126
Mozilla specifically won't let you "Ignore" the warning. Simply, no access at all to that site. Yes, I can use a different Mozilla-based 3rd-party browser to access.
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
In that case, might check out IEtab so it opens in a tab in IE unless you've got cool sniping plugins :) to answer your question about some pages on eBay showing the same, they may already be in the process of it. In this age of load balancing and "cloud" design, you might just be directed to a server that has not been given love. I actually ran into this in an AD environment where their domain.com did not update its DNS with root hints for some reason and as a result, internal resolutions of their own website showed a cert warning (simply expired) but it showed fine outside of the office or using public DNS. Every network has different ways of rolling out updates and configs to hundreds or thousands of servers so perhaps ebays is not quite efficient enough to keep up. I can only hope they have some kind of automated cert enrollment otherwise I feel for those admins...
 

Plar

Junior Member
Aug 6, 2018
22
0
16
I don't know what the problem is, but I had a similar problem. This problem was resolved on its own in a few days. I was able to go in and carry out the necessary operations. I think this is an internal service error that doesn't depend on the user.