Paypal email certificate problem

[Detection]

Everytime I open an email from paypal (Genuine) in WLMail, I get a popup complaining about the certificate, and when I take a look at it, it states VMWare ?

[+BudMan MVC]

Why would you be seeing a SSL cert when opening up mail from paypal? I just looked at some email from paypal in in gmail, invoices and such for use of it. Official stuff, and there is no cert from paypal that I can see in there.

Are you saying the email was signed with a vmware cert?

Could you give some more details of how and when your seeing this. What are the details of the cert, next tab over on the top

[Detection]

Why would you be seeing a SSL cert when opening up mail from paypal? I just looked at some email from paypal in in gmail, invoices and such for use of it. Official stuff, and there is no cert from paypal that I can see in there.

Are you saying the email was signed with a vmware cert?

Could you give some more details of how and when your seeing this.

I bought a few things from ebay using Paypal, and I receive my receipts to my live.co.uk email address using the Windows Live Mail client

When I click on the paypal email to read it, a certificate error window pops up asking if I want to continue, cancel, or have a look at the certificate

If I click continue I can view the paypal email, if I click to look at the certificate, the window I posted above appears

[+BudMan MVC]

but live mail is a online service is it not? So that would cert for any email on their server?

I will have to file up the live mail client and check it out.. I have a live.com address, but just view it online - I don't use the client.

Have to run for work, but will check on it later today. What does it show in that details section.. Might be able to get a few clues to where the cert is coming from.

[Detection]

but live mail is a online service is it not? So that would cert for any email on their server?

I will have to file up the live mail client and check it out.. I have a live.com address, but just view it online - I don't use the client.

Have to run for work, but will check on it later today. What does it show in that details section.. Might be able to get a few clues to where the cert is coming from.

You can use it offline, bit like Outlook I suppose but I always use it online. I've never seen this problem before on any email in this client.

The last time I can remember getting certificate errors was when I had a weird combo of proxies and AP's and a 3G Dongle connection, and IE would give Cert errors on nearly every webpage, but that was on a different machine in a different life

This machine is wired to dd-wrt router > openreach modem > phone socket.

-----

Been looking through the message source details and came across this at the bottom

https://102.112.2O7....123456?pageNam=e=3Dsystem_email_PP1003=22

When I googled the first IP part of the URL I found some posts with people complaining that that URL was causing their Outlook to crash with PP emails

Another thing I noticed is the images on the PP emails are broken with red X in their place.

Can't see anything in there about certificates, here is some of the sender info if it helps (Removed things that looked sensitive to PP)

Authentication-Results: hotmail.com; sender-id=pass (sender IP is 173.0.84.227) [email protected]; dkim=pass header.d=paypal.co.uk; x-hmca=pass
X-SID-PRA: [email protected]
X-SID-Result: Pass
X-DKIM-Result: Pass
X-Message-Status: p:1:n
X-AUTH-Result: PASS

Received: from mx0.slc.paypal.com ([173.0.84.227]) by BAY0-MC4-F12.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Mon, 21 May 2012 01:06:20 -0700
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
	s=dkim; d=paypal.com;
	h=DKIM-Signature:Received:Date:Message-Id:Sender:Subject:X-MaxCode-Template:To:From:X-Email-Type-Id:X-XPT-XSL-Name:Content-Type:MIME-Version;


DKIM-Signature: v=1; a=rsa-sha1; d=paypal.co.uk; s=dkim; c=relaxed/relaxed;
	q=dns/txt; [email protected];;

[+BudMan MVC]

but that https link is a link right, not a source of some image or anything?

I don't show anything wrong with that cert

So there must be something in that email that is calling a https link for say an image in that message, so when you try and load the image that cert is causing the popup because you don't trust the CA.

When you look at the source of the message, look for all the img tags, are they using https in the location of the image, if so try to open them up on your own and check out the cert used.

So this message is offline right? So something in that message must be trying to access something via https that is not quite right. Look in the message for anything with https url in it.. But it happens when you just open the email right, your not following some link in it?

If your using a proxy, then sure that could cause a problem with cert, if they are trying to do a mitm on your ssl traffic and they replace all the certs with the one from the proxy. But if that was the case you would think any https thing you followed would be causing you the warning.

But sure if you don't allow the cert to be used, and image is being loaded via https - then it couldn't load and you would get a red x vs the image.

[Detection]

Found this image URL in the source

<a href=3D=22https://www.paypal.com/uk=22><img =

src=3D=22http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gi=

f=22 border=3D=220=22 alt=3D=22PayPal=22/></a>

I wonder if the last part of that URL should be .gif - the URL works if I make it so.

I'm not running a proxy, I have a direct BB connection.

The message is offline now yea, but the certificate error only happens when I open the message for the first time, even though I have not installed the Cert, once I hit Continue it never questions it again until I receive a new PP email

I think your right about the image URL being the cause. Because it is https: and the URL is broken its confusing it somewhat, but why it would even mention vmware is confusing

[+BudMan MVC]

so show that url as

http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gi=

that image url is not https from what you posted. The link off click the image would be https://www.paypal.com which I show as a valid cert signed by verisign.

yeah gi seems wrong to me as well.. But from the code you listed that image would not be over a https connection.

Can you sniff your traffic while you create the problem, so we can see where its going to get this cert. Happy to look at the sniff if you send to me in PM, if you don't feel like posting public that sort of info.

I would be VERY curious as well to what is causing this - I would be worried about attempts to mitm your ssl traffic, etc! More than likely its just a goof up on something.. But until you track down what is causing it, it is very wise to be concerned.

[Detection]

so show that url as

http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gi=

that image url is not https from what you posted. The link off click the image would be https://www.paypal.com which I show as a valid cert signed by verisign.

yeah gi seems wrong to me as well.. But from the code you listed that image would not be over a https connection.

Can you sniff your traffic while you create the problem, so we can see where its going to get this cert. Happy to look at the sniff if you send to me in PM, if you don't feel like posting public that sort of info.

I would be VERY curious as well to what is causing this - I would be worried about attempts to mitm your ssl traffic, etc! More than likely its just a goof up on something.. But until you track down what is causing it, it is very wise to be concerned.

What would you use to sniff? Wireshark ?

I'll stick a sticky note on my desktop to remind me about it because I don't have any PP emails on their way atm, and I've already opened and hit continue on the ones I have received so far so they won't bring it up again

I've tried marking them as unread then opening them again but it doesn't have any effect.

Any other site, I wouldn't really have thought about it, but seeing vmware certs on a PP email rang alarm bells

Adding the correct .gif in place of the .gi shows the correct PP logo, and as the images are broken on the email I say that is at least one problem it has.

http://images.paypal.com/en_US/i/logo/logo_emailheader_113wx46h.gif

[+BudMan MVC]

yeah bad coding in the email, and bad ssl certs -- would ring alarm bells for me as well.

yeah wireshark is what I would use.

You have found an interesting issue -- very curious to what it turns out to be!

[Detection]

but that https link is a link right, not a source of some image or anything?

Here is the full footer with that URL included.

<span =
class=3D=22xptFooter=22>Copyright =A9 1999-2012 PayPal. All rights =
reserved.<br/><br/>PayPal (Europe) S.=E0 r.l. et Cie, =
S.C.A.<br/>Soci=E9t=E9 en Commandite par Actions<br/>Registered Office: =
5th Floor 22-24 Boulevard Royal L-2449, Luxembourg<br/>RCS Luxembourg B =
118 349</span><br/><br/><span style=3D=22color: =23333333;font-family: =
arial,helvetica,sans-serif;font-size:11px;=22><span class=3D=22xptFooter =
ppid=22>PayPal Email ID PP843</span></span><img height=3D=221=22 =
width=3D=221=22 =
src=3D=22https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageNam=
e=3Dsystem_email_PP843=22 border=3D=220=22 =
alt=3D=22=22/></td></tr></table></div></body></html>=

[Detection]

Comparing the source from the Client vs Hotmail server, the source is different.

The above is from the WLMail Client

This below is from the online server

at the bottom of any page.</p><p>Copyright =A9 2012 =
PayPal. All rights reserved.<br/><br/>PayPal (Europe) S.=E0 r.l. et Cie, =
S.C.A.<br/>Soci=E9t=E9 en Commandite par Actions<br/>Registered office: =
22-24 Boulevard Royal, L-2449 Luxemburg<br/>RCS Luxemburg B 118 =
349</p><img height=3D=221=22 width=3D=221=22 =
src=3D=22https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/123456?pageNam=
e=3Dsystem_email_PP1003=22 border=3D=220=22 alt=3D=22=22/><p =
class=3D=22xptFooter ppid=22>PayPal Email ID =
PP1003</p></td></tr></table></div></body></html>=

I've copied from around the same point to the very end of the email, and you can see even before the Copyright section on the first line it is already different, along with quite a bit more of it

Could the client be causing the problem ?

[cybertimber2008]

The valid window of March 13 means it's a recent change, and secondly, I don't think many websites do a one-year cert.

BUT... do you have another computer than you can open the same email in the same way as you are right now and see if it prompts the same? Preferably a computer on the same network, same OS, same mail client.

I'm wondering if it isn't a man in the middle attack. I did an extensive lab on it in one of my classes and it looked similar to this. Just wish certs showed what was trying to access that server.

[+BudMan MVC]

A client should not be changing the source of the email that is for damn sure -- something wrong there!!!

You sure your not just looking at different emails? One says ID is PP1003, other says PP843 -- not sure why footers would be different if same time frame, same type of email. From those numbers does not look like your looking at the same email. Could you have a cache issue?

[Detection]

Pretty sure they were the same emails, I checked the item I was getting the receipt for along with the time of the emails (My mistake, the PP1003 is another PP email, I got them both more or less at the same time and checked the source of the one above in haste)

But an update, I ordered another couple of things, and got my receipts for them from PP again, this time running wireshark prepared for the certificate error, and surprise surprise because I was ready for it this time, I got no errors, the emails opened fine without complaints.

Between the original errors and these ones I had to move the router and disconnect the power to get the cable where I needed it.

Router is running DD-WRT, possibly it had cached something causing the problem that the reboot cleared ?

[cybertimber2008]

Router is running DD-WRT, possibly it had cached something causing the problem that the reboot cleared ?

I want to go with "no".

[+BudMan MVC]

yeah I would have to go with no as well on that.

[Detection]

Well I had emailed PP too so something might have been changed their end too.

Another one to add to the unexplained I guess, thanks for the help :)