back to article PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

PayPal has reminded merchants that they must support TLS 1.2 and HTTP/1.1 by June 30. The reason? That's the date the PCI Council mandated for those standards to come into effect. In this notice, PayPal warns: “You will need to verify that your environment supports TLS 1.2 and HTTP/1.1 and if necessary make appropriate …

  1. Herby

    Yeah, they keep warning me...

    I've gotten a bunch of emails from them, and what do you know I've tested my connection a multitude of times and all is well.

    Please stop sending me the emails. It is getting frustrating!

    Of course they could do what my bank did, and just stop accepting connections. THUD!

  2. G2

    interesting typo

    @ElReg: you have a typo in title:

    "PayPal reminds users: TLS 1.2 and HTTP/1.1 are longer optional"

    i think it was supposed to say "are no longer"

    also... article published at 03:52 AM?... please get some sleep before posting things.

    1. gotes

      Re: interesting typo

      He's in Australia.

  3. 89724102172714582892524I9751670349743096734346773478647852349863592355648544996313855148583659264921

    Expect limited chaos

    An accountant friend of mine was flummoxed by this exact requirement on the HMRC website - he couldn't submit customer's tax returns using the latest version of Chrome.

    1. Dan 55 Silver badge

      Re: Expect limited chaos

      The only browser that's going to do TLS 1.2 on an old OS which doesn't do TLS 1.2 is Firefox (although you may need an older version of Firefox which is the latest version available for that OS). The rest are limited by the OS' implementation of TLS.

      More to the point, why is your accountant friend using XP or Vista?

      1. 89724102172714582892524I9751670349743096734346773478647852349863592355648544996312855148583659264921

        Re: Expect limited chaos

        Time is money... I know a lot of small businesses who simply don't have the time to adjust to new OSs. It makes no sense to the IT informed.

        1. Lee D Silver badge

          Re: Expect limited chaos

          I think "security compromise through using outdated browser's to submit all their clients tax information via an online website and outdated browser" costs both time and money.

          The excuse you're looking for is "laziness / ignorance". Running a business, taking cards, doing finances on the computer, connected to the Internet? You have a responsibility to your customers to keep your system vaguely up-to-date.

          By which I mean, at least a supported version of Windows, preferably written this decade.

          There is NO EXCUSE for this, and if you lose customer/finance data you'll be nailed to the wall by the courts.

          Solution: £300, new PC from PC World, maybe a couple of hundred to upgrade your finance software, a few quiet afternoons moving from one to the other until you're confident you can switch.

          If you're big enough to hire staff, any staff, in any role, you're big enough to keep your computers up-to-date.

          1. wyatt

            Re: Expect limited chaos

            Agreed, there is a cost to doing business and this is one of them. You to work to the best of your abilities and part of that is keeping your customers data safe and also ensuring that you can keep working if there is an issue. Not moving with the times can be more costly than getting the most miles out of your hardware/software.

      2. Anonymous Coward
        Anonymous Coward

        Re: Expect limited chaos

        Apart from Chrome, which can give TLS v1.2 on XP SP3!

  4. Alister

    For most, that means get a new browser, but the requirement also applies to systems connecting to PayPal's APIs.

    Indeed.

    A great wailing and gnashing of teeth was heard from our developers when they realised they would have to recompile their precious PayPal integration code using a version of .NET which was vaguely modern.

    They were trying to blame Ops, saying it was a server problem. Au contraire, fellas, our servers happily support TLS1.2 in and out, get your shit together!

  5. Gavin Chester
    FAIL

    Oh.. So it wasnt spam?

    I did look at the links and think if it was spam it was good as it looked legit, but then erred on the side of caution and I just assumed it was the usual scam to try and get me to click a link and deleted it.

  6. GIRZiM

    http 1.1?

    I can't remember the last time I didn't connect via 1.1 in the last twenty years!

  7. GnuTzu

    Right on Time -- But, What About Others?

    The PCI Council said June, and it's June. Every site doing payment card transactions should already be here. Your banks should be telling you the same thing. Check them at: https://www.ssllabs.com/ssltest/

    If your bank or shopping site allows TLS 1.0 (or less), time to change banks.

  8. Boothy

    Similar issues in the past

    We did something similar to this with one of our clients, they had something like 2,500 customers, who'd basically been warned several times that their client end would break once we'd updated security (e.g. removed deprecated ciphers etc.) at the server side (mix of FTPS, SFTP and HTTPS, this was about 10 years ago),

    Customers were warned about 12 months in advance of the change, 6 months or so later, monitoring showed there were still about 25% or so of customers who had not updated.

    Another 3 months and little had changed, with 20% still not updated.

    Another letter was sent out, again pointing out the deadline, which was now about 2 months away. But this time we also included what we referred to as a 'live-testing', that would be done weekly, during office hours, starting about 5 weeks before the final cut off.

    What this basically meant, is we'd implement the change in the live system for a few hours during the day (I think it was something like every Tuesday, 10:00-14:00), thus killing client connections for anyone who had not updated yet. We then backed out the change a few hours later. (SLA's were still fine, it would just be an inconvenience for the 20% of customers it impacted for a few hours, assuming they connected during that time window, which most did).

    Needless to say, we had quite a few irate customers calling up saying our system was down, with us point out this was planned work, and that they had been informed in advance, and "By the way, this would only impact you if your system was out of date, and this will become a permanent issue in x weeks time, so you need to fix your system by then, or you'll be off permanently.".

    Drastic, but it did have the desired result, with many more customers getting their updates done before the dead line.

    PS: As a side note, we found out quite a few customers basically read our letters, but hadn't been understood, and not passed onto their IT people, or they had been passed on to IT, but they couldn't get their bosses to prioritise the work. Out 'live-testing' managed to focus this somewhat.

  9. Nate Amsden

    TLS 1.1 is fine for PCI ?

    Having been going through PCI audits for a few years now unless something changed very recently TLS 1.1 is still perfectly fine for PCI. I did a few web searches and could not find anything mentioning TLS 1.1, only a dislike for 1.0 (though again I have yet to see any serious issues with TLS 1.0 itself, I have seen people point to specific weaknesses here and there but they were all(that I have seen anyway) easily mitigated while maintaining TLS 1.0(since I did so myself on my org's load balancers 2-3 years ago back when we could not upgrade past TLS 1.0(an issue that was resolved since, 1.1 and 1.2 are enabled these days and 1.0 disabled where possible/required).

    Using SSLlabs test site is always real handy for validating configuration, it's so easy to misconfigure SSL setup, even the ordering if the ciphers is important. I've yet to know anyone personally who knows SSL well enough to be able to configure that kind of thing on their own. For my Citrix Netscalers I think I used this guide (https://www.antonvanpelt.com/make-your-netscaler-ssl-vips-more-secure-updated/), or something that looked real similar.

    Had an issue not long ago where we upgraded some of our Linux systems and one of them had to connect to a 3rd party service. The upgraded openssl refused to connect to the 3rd party after the OS upgrade(with no obvious way to force it to connect). Ran an SSLlabs test on the site and it had a rating of "F" at the time. The vendor fixed their site after a few weeks, in the mean time we ran that job on an older OS. I believe that was a situation where I tested both wget and curl against the site, I think wget refused to connect but curl was open to talking to the site(maybe because it was using gnutls and openssl, whereas wget I think was linked to openssl only).

    SSL-level logging is also terrible across the board in my experience. Very difficult to tell what protocols and ciphers are actually being used(and used by who/what). Developers I have worked with in the past 18 years are just as lost when it comes to SSL.

    1. DougMac

      Re: TLS 1.1 is fine for PCI ?

      Correct, TLS v1.1 is fine, but generally in practice, TLS 1.0 marks the dividing point between "legacy old systems" and stuff that supports it all.

      If you can to TLS v1.1, generally you can do TLS v1.2, and you may as well get on that wagon while you are reconfiguring.

  10. Torchy

    Using Google Chrome with self updates and I have had one email informing me that I will be unable to access PayPal after 30th June.

    Going to take my balance down to £0 the day before to help them out.

  11. RobertsonCR7
    Happy

    that was about time

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon