Community @ The Turning Gate

Support community for TTG plugins and products.

You are not logged in.

#1 2014-11-19 20:35:22

Ben
Moderator
From: Melbourne, Australia
Registered: 2012-09-29
Posts: 3,274

PayPal and SSL 3.0

Many of you may have received an email from PayPal regarding the ending of support for SSL 3.0 in response to the Poodle vulnerability.

In short: you should have nothing to worry about.

Elaborating:

This will potentially impact the cart in two ways: with browsers, as your customers are directed to paypal.com to complete their PayPal details, and with the server you are hosting on, as transaction details are communicated to PayPal in the back-end.  The version of SSL used is determined by the protocols available on your server and customer's browsers, and those that PayPal supports.  As PayPal will no longer support the SSL 3.0 protocol, your cart will only be able to work if your server supports one of the remaining protocols supported by PayPal, in particular TLS.

All modern browsers support TLS.  The only noteworthy browser that will not function correctly with PayPal is Internet Explorer 6, which is not supported by TTG.

All hosts updated in recent years should support TLS.  If in doubt, there are two ways of testing that your server supports TLS:

1. Look at the PHP Info for your site.  With CE4, you can find a link to the PHP Info on the TTG BE Dashboard.  The "Registered Stream Socket Transports" section lists the available protocols.  If 'tls' is one listed, then you'll be fine.

2. Test your cart on PayPal's Sandbox with the PayPal testing credentials.  PayPal has already disabled SSL 3.0 support on the SandBox, so if this mode works, then your cart will continue to function correctly when PayPal disables SSL 3.0 on paypal.com.

PayPal recommends that you create a new set of Security Credentials in the off-chance that they had been compromised by an old browser prior to disabling SSL 3.0.  For instructions on how to do so, see this guide: https://developer.paypal.com/docs/class … edentials/

In practice, this may be unnecessary, since in my understanding, even if your credentials did fall into the wrong hands, there is no mechanism in which a third party could use them to steal funds or gain financially from you.  At most, they could be used to create dummy transactions in an attempt to disrupt your business or cause loss through PayPal fees.  If this risk concerns you, then follow the link above to create new credentials.

Offline

Board footer

Powered by FluxBB