The certificates used in the checkout flow process as legitimate but nonetheless look hinky to me. From GoDaddy, "domain control verified"? I don't seem to recall this, from prior use (it's been a while) of oreilly.com .
ADDENDUM: It's probably legitimate, but it still bothers me -- as have some other aspects of my online experiences with O'Reilly. For a site that supports purchases, I'd expect a bit more authentication with respect to the certificate(s).
PayPal API's Up and Running.
by Michael Balderas