Security researchers at Google have announced a “Poodle” vulnerability in SSL 3.0. We don’t expect that means much to you, nor the full name – Poodle stands for “Padding Oracle On Downloaded Legacy Encryption“.
What it does mean is that PayPal may be broken for some ecommerce sites as PayPal unplugs SSL 3.0 support, so if your PayPal checkout is borked now you know why.
PayPal have said “we’ve determined that we must disable SSL 3.0 support as soon as we reasonably can. Unfortunately, this necessary step may cause compatibility problems for a few of our customers resulting in the inability to pay with PayPal on some merchant sites or other processing issues that we are still identifying. However, we can’t stress enough that this short-term inconvenience is heavily outweighed by the PayPal brand promise of keeping our customers and their money safe. For us, it’s that simple“.
PayPal plan to remove SSL 3.0 support completely over the coming days. Users affected will need to upgrade their checkouts to use Transport Layer Security (TLS) instead which should already have replaced most PayPal SSL 3.0 installations, however some still fall back to SSL 3.0 for legacy browser support. Plus many browsers will retry failed TLS connections by using older protocols including SSL 3.0.
I guess it’s a case of PayPal have the latest tools available, but the one thing that they can’t do is force users to update their software to the most up to date versions available. Around 10% of Tamebay’s traffic still comes from users of Windows XP or earlier and indeed many corporate companies never upgraded to Windows 7, let alone Windows 8.