This is just a small public service announcement for any web developers or eCommerce website owners using PayPal Express Checkout to accept payments on their websites: don’t redirect your users to paypal.com, make sure you use www.paypal.com instead!
The reason is quite simple (and stupid): PayPal uses different SSL security configurations for the vanilla paypal.com domain and the www.paypal.com subdomain – and the former is incompatible with a lot of older PCs and operating systems, meaning your users will get an error message instead of being presented with the checkout options!
What makes this a particularly egregious crime is that requests to the plain-jane paypal.com are redirected to www.paypal.com, which as anyone can tell you, makes the “enhanced security” on the plain top-level domain completely useless. When dealing with online security, you would generally redirect from insecure to more-secure, allowing you to filter out requests, display compatibility error messages, etc. before switching to higher level of security for your sensitive transactions.. but not so with PayPal!
Here are the screenshots of the compatibility of PayPal’s SSL configuration for the two domains, as tested with SSL Labs’ awesome online SSL testing service:
First, the results for www.paypal.com1
www.paypal.com client handshake compatiblity
And now the results for the top-level paypal.com domain2
paypal.com client handshake compatibility simulation
See the massive difference?! The SSL configuration for www.paypal.com supports pretty much all but the very oldest of clients; only users running IE6 on Windows XP (yes, they’re still out there *sigh*) will have problems connecting… but the plain top-level paypal.com domain will reject connections from basically all Internet Explorer users (all the way through Internet Explorer 10 on Windows 7!), with only IE11 still supported. In addition, Android users running anything below 4.4 won’t be able to connect, nor will any Windows Phone 8 users, or users of OS X 10.8 and below.
Do yourself a favor and check your website right now (not just the static links to PayPal.com but also the API redirect URLs for the PayPal Express Checkout API) and make sure that you’re sending your users to www.paypal.com and not the TLD paypal.com – that’s a lot of sales you probably can’t afford to miss out on.
As retrieved on July 22, 2016, [test again] ↩
As retrieved on July 22, 2016, [test again] ↩
If you look higher in the SSLLabs report, I’ll be you find that that TLSv1.2 is disabled on paypal.com — probably in preparation of moving to full PCI 3.1 compliance.
@Raymond doesn’t the second screen capture show TLS 1.2 supported on paypal.com?
Managed to write precisely the opposite. TLSv1.2 is enabled, but not TLSv1 or 1.1.
Hi Mahmoud,
I lead the developer advocacy effort over at PayPal. I’m sorry that you ran into this issue, but appreciate you bringing it up.
Here’s what we did – I worked with the PayPal infosec team yesterday to take a look at the problem. What we did to try to resolve the issue was to duplicate the config settings on paypal.com from http://www.paypal.com, so both should be acting the same now (with the more inclusive settings).
If you’re still seeing any problems, please do let me know and I can circle back.
You can also contact me directly via the @paypaldev handle (https://twitter.com/paypaldev) or my personal one (https://twitter.com/jcleblanc).
Thanks,
Jon
@Jonathan thank you for the quick and speedy response; I’ll ping you directly next time I find something (we’ve encountered other issues in the past and going through PayPal merchant support takes a while to flag a developer’s attention). However, I’m not seeing that the update has rolled out? A new test still reveals TLS 1.1 and 1.0 are disabled?
@Mahmoud Apologies for the delay. It looks like the release was delayed from its original Friday deployment for a few reasons. The new release date was yesterday afternoon (PDT) and everything appears to now be duplicated in the config settings after running the tests. Let me know if anything else pops up, happy to help.