Reminder: PayPal Will Require TLS 1.2 in 2017
Merchants and End Users Will Need To Support TLS 1.2.
In 2017, PayPal endpoints and APIs will require connections use TLS 1.2 and HTTP/1.1 for optimal security (this also applies to Braintree). The payment company originally publicized this earlier this year, but we wanted to spread the word again to make sure everyone is aware.
“On June 30, 2017, PayPal will begin the process of discontinuing support for TLS 1.0 and 1.1. This means all merchant API communications with PayPal will need to use TLS 1.2.”
While TLS 1.0 and 1.1 are not officially deprecated like SSL 3.0, they are known to have security vulnerabilities. Attacks like POODLE and CRIME affect those TLS versions, but not 1.2. In its background whitepaper, PayPal writes “the risk of breach with older versions of TLS is significant, and PayPal intends to pursue the most secure options available.”
This upgrade is coming “despite recent PCI Council recommendations to delay the mandate to upgrade to at least TLS 1.1 and preferably 1.2 until 2018.” We are very happy to see PayPal staying ahead of the curve here, given how many payments are processed with them per day.
The TLS 1.2 requirement will be site-wide, including the consumer-facing sites like “www.PayPal.com.” There are likely more everyday end users that will be impacted than merchants and sellers.
Most merchants likely support TLS 1.2 already and are ready to go. More are likely to not have TLS 1.2 enabled than not have the capability to support it, so this upgrade should affect a very small number of merchants. Probably the most notable client that does not support TLS 1.2 is Android 4.0.X and earlier, but those devices account for less than 3% of all Android devices.
For any merchants concerned about their compatibility, you can read about and test your configuration at PayPal’s dedicated microsite.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown