PayPal will cut off support for aging security protocol SSL 3.0 on Dec. 3, and that may cause problems for some of its merchants, the online payments giant announced on Monday (Nov. 10).
The move will block an attack known as POODLE (for Padding Oracle On Downgraded Legacy Encryption), which tricks software into using the compromised SSL 3.0 security, which dates from 1996, if it is available. By disabling SSL 3.0, that hole is closed and software is forced to use a more secure protocol known as TLS. Google publicly identified the attack in mid-October.
In a post on the PayPal Forward blog, PayPal CTO James Barrese wrote that all PayPal use of SSL 3.0 will end on Dec. 3, 2014.
“Any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before this date to avoid an interruption in their ability to accept payments with PayPal,” Barrese wrote. “We recognize and regret that upgrading their PayPal integration may be challenging for some of our merchant customers at this busy time of year. The decision to extend our support of SSL v3 for a few more weeks was made with these merchants and the safety of our customers’ accounts in mind.”
Barrese added that PayPal has also acted to mitigate the risk of keeping SSL 3.0 working for the payments service through November, and that the company has “seen no evidence that the SSL v3 issue has led to any compromise of customers’ accounts at PayPal.”