Recently a vulnerability was published that affects a particular version of the Secure Sockets Layer (SSL) protocol, which is used to secure connections to websites. The vulnerability, which only exists in SSL 3.0, allows a cyber criminal to gain access to connections previously assumed secure. Fortunately, SSL 3.0 is not the only option available to secure these connections, and this vulnerability can be prevented by disabling support for SSL 3.0. PayPal will completely disable SSL 3.0 support, which will prevent this vulnerability from impacting users of PayPal, including those who may be using an integration via a merchant’s site.
Whilst disabling this protects users from harm, it may result in compatibility issues for some customers, particularly those merchant sites that rely on SSL 3.0. No need to worry though, updating your integration to be secure and compatible is quick and easy.
Ensuring you are secure is a simple process. If you are currently using SSL 3.0, update to use TLS, a more recent standard than SSL that provides a secure connection. Once you have done so, consider issuing new API credentials; this may not be necessary, but is recommended for security purposes.
If you are unsure whether you are using SSL 3.0 all you need to do is test your integration against the Sandbox. If you can make an API request, you are not using SSL 3.0, as this has already been disabled on the PayPal Sandbox, and you will experience no compatibility or security issues. If you are unsure how to test your integration against the Sandbox, please refer to the Merchant Response Guide for more details.
To update to TLS you need to connect to PayPal Endpoints using TLS 1.0 or 1.2. How to do this varies on which language you are using; refer to the documentation for your language, or to the Merchant Response Guide for more details.
After updating to TLS you should consider reissuing and downloading new API credentials for PayPal API requests. If you are using Certificate authentication, no action is required. Please check the documentation for more info if using Signature or OAuth.
These changes are necessary to protect our customers’ financial details, and we thank you for your patience and understanding in dealing with any compatibility issues that may arise due to the disabling of SSL 3.0. We will continue to work with our merchants on ensuring service is not interrupted and your integrations are kept safe and secure through the Merchant Services team. We appreciate your speed and attention in dealing with this issue.
For additional information about the POODLE vulnerability and PayPal’s response, please see this blog post from PayPal CTO, James Barrese.