Security & Fraud

Uh-oh. PayPal Software Crumbles When Facing Older Encryption

PayPal announced Wednesday (Oct. 14) that older encryption may be the nemesis of  its current retailer software.

“So far, we’ve determined that we must disable SSL 3.0 support as soon as we reasonably can. Unfortunately, this necessary step may cause compatibility problems for a few of our customers resulting in the inability to pay with PayPal on some merchant sites or other processing issues that we are still identifying," said PayPal CTO James Barrese. "However, we can’t stress enough that this short-term inconvenience is heavily outweighed by the PayPal brand promise of keeping our customers and their money safe. For us, it’s that simple."

The problems involve a newly-discovered vulnerability, which is being called Poodle. "When exploited, this vulnerability enables a cyber criminal to gain access to connections considered secure via this widespread (but 15-year-old) security protocol," Barrese wrote.

Critically, he said that PayPal is looking to cut its losses by preventing use of the older defense. "In the coming days, we will remove support for SSL 3.0 completely," Barrese said. "Today, we have absolutely no evidence that any of our customers have been compromised by this vulnerability. "





Click to comment