Reminder: PayPal Will Require TLS 1.2 in 2017
Merchants and End Users Will Need To Support TLS 1.2.
In 2017, PayPal endpoints and APIs will require connections use TLS 1.2 and HTTP/1.1 for optimal security (this also applies to Braintree). The payment company originally publicized this earlier this year, but we wanted to spread the word again to make sure everyone is aware.
“On June 30, 2017, PayPal will begin the process of discontinuing support for TLS 1.0 and 1.1. This means all merchant API communications with PayPal will need to use TLS 1.2.”
While TLS 1.0 and 1.1 are not officially deprecated like SSL 3.0, they are known to have security vulnerabilities. Attacks like POODLE and CRIME affect those TLS versions, but not 1.2. In its background whitepaper, PayPal writes “the risk of breach with older versions of TLS is significant, and PayPal intends to pursue the most secure options available.”
This upgrade is coming “despite recent PCI Council recommendations to delay the mandate to upgrade to at least TLS 1.1 and preferably 1.2 until 2018.” We are very happy to see PayPal staying ahead of the curve here, given how many payments are processed with them per day.
The TLS 1.2 requirement will be site-wide, including the consumer-facing sites like “www.PayPal.com.” There are likely more everyday end users that will be impacted than merchants and sellers.
Most merchants likely support TLS 1.2 already and are ready to go. More are likely to not have TLS 1.2 enabled than not have the capability to support it, so this upgrade should affect a very small number of merchants. Probably the most notable client that does not support TLS 1.2 is Android 4.0.X and earlier, but those devices account for less than 3% of all Android devices.
For any merchants concerned about their compatibility, you can read about and test your configuration at PayPal’s dedicated microsite.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown