James Barrese, CTO, PayPal
Today, details of an Internet security protocol vulnerability were released, which many in the industry are calling “POODLE”. The vulnerability impacts a protocol called SSL 3.0, which was designed to ensure secure connections when surfing on the Internet.
When exploited, this vulnerability enables a cyber criminal to gain access to connections considered secure via this widespread (but 15-year-old) security protocol. The Information Security community has collaboratively analyzed this issue and the Google security team reported it earlier today through a very helpful blog post describing the vulnerability and offering a near and long-term solution for their users along with a recommendation for how the rest of the Internet should respond.
As a bit of background to help you understand the complexity and widespread impact of this vulnerability, nearly all Internet browsers support SSL 3.0. Though most companies doing business on the Internet have adopted its successor, Transport Layer Security (TLS), older browser versions and some legacy Internet experiences leverage SSL 3.0 to maintain secure connections. Also, some modern browsers will “fall back” to SSL 3.0 in certain situations. TLS_FALLBACK_SCSV is an option for the more secure TLS protocol that prevents “fall back” to SSL 3.0 and PayPal is in the process right now to ensure that all connections leverage this option as appropriate.
So far, we’ve determined that we must disable SSL 3.0 support as soon as we reasonably can. Unfortunately, this necessary step may cause compatibility problems for a few of our customers resulting in the inability to pay with PayPal on some merchant sites or other processing issues that we are still identifying. However, we can’t stress enough that this short-term inconvenience is heavily outweighed by the PayPal brand promise of keeping our customers and their money safe. For us, it’s that simple.
Today, we have absolutely no evidence that any of our customers have been compromised by this vulnerability. We pledge to stay transparent and let you know if we discover anything else. For now, thank you for continuing to trust us and know that we will do everything to protect your financial details as we’ve done for many years. If you have concerns, don’t hesitate to reach out.
In the coming days, we will remove support for SSL 3.0 completely. We plan to keep our customers up to date on how we are addressing this issue via the appropriate channels including PayPal Forward, our Twitter handle, Customer Service and for merchants, through our Merchant Services team. We appreciate your patience and understanding as we work around the clock to better serve you and keep you safe.