Detection Posted May 21, 2012 Share Posted May 21, 2012 Everytime I open an email from paypal (Genuine) in WLMail, I get a popup complaining about the certificate, and when I take a look at it, it states VMWare ? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 21, 2012 MVC Share Posted May 21, 2012 Why would you be seeing a SSL cert when opening up mail from paypal? I just looked at some email from paypal in in gmail, invoices and such for use of it. Official stuff, and there is no cert from paypal that I can see in there. Are you saying the email was signed with a vmware cert? Could you give some more details of how and when your seeing this. What are the details of the cert, next tab over on the top Link to comment Share on other sites More sharing options...
Detection Posted May 21, 2012 Author Share Posted May 21, 2012 Why would you be seeing a SSL cert when opening up mail from paypal? I just looked at some email from paypal in in gmail, invoices and such for use of it. Official stuff, and there is no cert from paypal that I can see in there. Are you saying the email was signed with a vmware cert? Could you give some more details of how and when your seeing this. I bought a few things from ebay using Paypal, and I receive my receipts to my live.co.uk email address using the Windows Live Mail client When I click on the paypal email to read it, a certificate error window pops up asking if I want to continue, cancel, or have a look at the certificate If I click continue I can view the paypal email, if I click to look at the certificate, the window I posted above appears Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 21, 2012 MVC Share Posted May 21, 2012 but live mail is a online service is it not? So that would cert for any email on their server? I will have to file up the live mail client and check it out.. I have a live.com address, but just view it online - I don't use the client. Have to run for work, but will check on it later today. What does it show in that details section.. Might be able to get a few clues to where the cert is coming from. Link to comment Share on other sites More sharing options...
Detection Posted May 21, 2012 Author Share Posted May 21, 2012 but live mail is a online service is it not? So that would cert for any email on their server? I will have to file up the live mail client and check it out.. I have a live.com address, but just view it online - I don't use the client. Have to run for work, but will check on it later today. What does it show in that details section.. Might be able to get a few clues to where the cert is coming from. You can use it offline, bit like Outlook I suppose but I always use it online. I've never seen this problem before on any email in this client. The last time I can remember getting certificate errors was when I had a weird combo of proxies and AP's and a 3G Dongle connection, and IE would give Cert errors on nearly every webpage, but that was on a different machine in a different life This machine is wired to dd-wrt router > openreach modem > phone socket. ----- Been looking through the message source details and came across this at the bottom https://102.112.2O7....123456?pageNam=e=3Dsystem_email_PP1003=22 When I googled the first IP part of the URL I found some posts with people complaining that that URL was causing their Outlook to crash with PP emails Another thing I noticed is the images on the PP emails are broken with red X in their place. Can't see anything in there about certificates, here is some of the sender info if it helps (Removed things that looked sensitive to PP) Authentication-Results: hotmail.com; sender-id=pass (sender IP is 173.0.84.227) header.sender=sendmail@paypal.com; dkim=pass header.d=paypal.co.uk; x-hmca=pass X-SID-PRA: sendmail@paypal.com X-SID-Result: Pass X-DKIM-Result: Pass X-Message-Status: p:1:n X-AUTH-Result: PASS Received: from mx0.slc.paypal.com ([173.0.84.227]) by BAY0-MC4-F12.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Mon, 21 May 2012 01:06:20 -0700 DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=dkim; d=paypal.com; h=DKIM-Signature:Received:Date:Message-Id:Sender:Subject:X-MaxCode-Template:To:From:X-Email-Type-Id:X-XPT-XSL-Name:Content-Type:MIME-Version; DKIM-Signature: v=1; a=rsa-sha1; d=paypal.co.uk; s=dkim; c=relaxed/relaxed; q=dns/txt; i=@paypal.co.uk;; Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 21, 2012 MVC Share Posted May 21, 2012 but that https link is a link right, not a source of some image or anything? I don't show anything wrong with that cert So there must be something in that email that is calling a https link for say an image in that message, so when you try and load the image that cert is causing the popup because you don't trust the CA. When you look at the source of the message, look for all the img tags, are they using https in the location of the image, if so try to open them up on your own and check out the cert used. So this message is offline right? So something in that message must be trying to access something via https that is not quite right. Look in the message for anything with https url in it.. But it happens when you just open the email right, your not following some link in it? If your using a proxy, then sure that could cause a problem with cert, if they are trying to do a mitm on your ssl traffic and they replace all the certs with the one from the proxy. But if that was the case you would think any https thing you followed would be causing you the warning. But sure if you don't allow the cert to be used, and image is being loaded via https - then it couldn't load and you would get a red x vs the image. Link to comment Share on other sites More sharing options...
Detection Posted May 21, 2012 Author Share Posted May 21, 2012 Found this image URL in the source <a href=3D=22https://www.paypal.com/uk=22><img = src=3D=22http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gi= f=22 border=3D=220=22 alt=3D=22PayPal=22/></a> I wonder if the last part of that URL should be .gif - the URL works if I make it so. I'm not running a proxy, I have a direct BB connection. The message is offline now yea, but the certificate error only happens when I open the message for the first time, even though I have not installed the Cert, once I hit Continue it never questions it again until I receive a new PP email I think your right about the image URL being the cause. Because it is https: and the URL is broken its confusing it somewhat, but why it would even mention vmware is confusing Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 21, 2012 MVC Share Posted May 21, 2012 so show that url as http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gi= that image url is not https from what you posted. The link off click the image would be https://www.paypal.com which I show as a valid cert signed by verisign. yeah gi seems wrong to me as well.. But from the code you listed that image would not be over a https connection. Can you sniff your traffic while you create the problem, so we can see where its going to get this cert. Happy to look at the sniff if you send to me in PM, if you don't feel like posting public that sort of info. I would be VERY curious as well to what is causing this - I would be worried about attempts to mitm your ssl traffic, etc! More than likely its just a goof up on something.. But until you track down what is causing it, it is very wise to be concerned. Link to comment Share on other sites More sharing options...
Detection Posted May 21, 2012 Author Share Posted May 21, 2012 so show that url as http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gi= that image url is not https from what you posted. The link off click the image would be https://www.paypal.com which I show as a valid cert signed by verisign. yeah gi seems wrong to me as well.. But from the code you listed that image would not be over a https connection. Can you sniff your traffic while you create the problem, so we can see where its going to get this cert. Happy to look at the sniff if you send to me in PM, if you don't feel like posting public that sort of info. I would be VERY curious as well to what is causing this - I would be worried about attempts to mitm your ssl traffic, etc! More than likely its just a goof up on something.. But until you track down what is causing it, it is very wise to be concerned. What would you use to sniff? Wireshark ? I'll stick a sticky note on my desktop to remind me about it because I don't have any PP emails on their way atm, and I've already opened and hit continue on the ones I have received so far so they won't bring it up again I've tried marking them as unread then opening them again but it doesn't have any effect. Any other site, I wouldn't really have thought about it, but seeing vmware certs on a PP email rang alarm bells Adding the correct .gif in place of the .gi shows the correct PP logo, and as the images are broken on the email I say that is at least one problem it has. http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gif Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 21, 2012 MVC Share Posted May 21, 2012 yeah bad coding in the email, and bad ssl certs -- would ring alarm bells for me as well. yeah wireshark is what I would use. You have found an interesting issue -- very curious to what it turns out to be! Link to comment Share on other sites More sharing options...
Detection Posted May 21, 2012 Author Share Posted May 21, 2012 but that https link is a link right, not a source of some image or anything? Here is the full footer with that URL included. <span = class=3D=22xptFooter=22>Copyright =A9 1999-2012 PayPal. All rights = reserved.<br/><br/>PayPal (Europe) S.=E0 r.l. et Cie, = S.C.A.<br/>Soci=E9t=E9 en Commandite par Actions<br/>Registered Office: = 5th Floor 22-24 Boulevard Royal L-2449, Luxembourg<br/>RCS Luxembourg B = 118 349</span><br/><br/><span style=3D=22color: =23333333;font-family: = arial,helvetica,sans-serif;font-size:11px;=22><span class=3D=22xptFooter = ppid=22>PayPal Email ID PP843</span></span><img height=3D=221=22 = width=3D=221=22 = src=3D=22https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageNam= e=3Dsystem_email_PP843=22 border=3D=220=22 = alt=3D=22=22/></td></tr></table></div></body></html>= Link to comment Share on other sites More sharing options...
Detection Posted May 21, 2012 Author Share Posted May 21, 2012 Comparing the source from the Client vs Hotmail server, the source is different. The above is from the WLMail Client This below is from the online server at the bottom of any page.</p><p>Copyright =A9 2012 = PayPal. All rights reserved.<br/><br/>PayPal (Europe) S.=E0 r.l. et Cie, = S.C.A.<br/>Soci=E9t=E9 en Commandite par Actions<br/>Registered office: = 22-24 Boulevard Royal, L-2449 Luxemburg<br/>RCS Luxemburg B 118 = 349</p><img height=3D=221=22 width=3D=221=22 = src=3D=22https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageNam= e=3Dsystem_email_PP1003=22 border=3D=220=22 alt=3D=22=22/><p = class=3D=22xptFooter ppid=22>PayPal Email ID = PP1003</p></td></tr></table></div></body></html>= I've copied from around the same point to the very end of the email, and you can see even before the Copyright section on the first line it is already different, along with quite a bit more of it Could the client be causing the problem ? Link to comment Share on other sites More sharing options...
cybertimber2008 Posted May 21, 2012 Share Posted May 21, 2012 The valid window of March 13 means it's a recent change, and secondly, I don't think many websites do a one-year cert. BUT... do you have another computer than you can open the same email in the same way as you are right now and see if it prompts the same? Preferably a computer on the same network, same OS, same mail client. I'm wondering if it isn't a man in the middle attack. I did an extensive lab on it in one of my classes and it looked similar to this. Just wish certs showed what was trying to access that server. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 21, 2012 MVC Share Posted May 21, 2012 A client should not be changing the source of the email that is for damn sure -- something wrong there!!! You sure your not just looking at different emails? One says ID is PP1003, other says PP843 -- not sure why footers would be different if same time frame, same type of email. From those numbers does not look like your looking at the same email. Could you have a cache issue? Link to comment Share on other sites More sharing options...
Detection Posted May 23, 2012 Author Share Posted May 23, 2012 Pretty sure they were the same emails, I checked the item I was getting the receipt for along with the time of the emails (My mistake, the PP1003 is another PP email, I got them both more or less at the same time and checked the source of the one above in haste) But an update, I ordered another couple of things, and got my receipts for them from PP again, this time running wireshark prepared for the certificate error, and surprise surprise because I was ready for it this time, I got no errors, the emails opened fine without complaints. Between the original errors and these ones I had to move the router and disconnect the power to get the cable where I needed it. Router is running DD-WRT, possibly it had cached something causing the problem that the reboot cleared ? Link to comment Share on other sites More sharing options...
cybertimber2008 Posted May 23, 2012 Share Posted May 23, 2012 Router is running DD-WRT, possibly it had cached something causing the problem that the reboot cleared ? I want to go with "no". Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 23, 2012 MVC Share Posted May 23, 2012 yeah I would have to go with no as well on that. Link to comment Share on other sites More sharing options...
Detection Posted May 23, 2012 Author Share Posted May 23, 2012 Well I had emailed PP too so something might have been changed their end too. Another one to add to the unexplained I guess, thanks for the help :) Link to comment Share on other sites More sharing options...
Recommended Posts