需要立即采取行动 - SSL 3.0漏洞

时间:2014-11-13 05:34:33

标签: php mysql ssl paypal paypal-sandbox

我从paypal收到了这封电子邮件,但我不明白他们想说什么,

他们将于2014年12月3日停止服务,

我在付款时使用快速结帐流程

我是否需要购买新的SSL?

Immediate action required

XYZ,

On October 14, 2014, details were released about a vulnerability to
version 3 of Secure Sockets Layer (SSL 3.0). Since that time, PayPal has
been hard at work to mitigate any potential impact to our consumers and
merchant customers.

To help mitigate risk associated with this vulnerability, PayPal will
discontinue support for SSL 3.0 on DECEMBER 3, 2104 AT 12:01 A.M.
PACIFIC STANDARD TIME. Unfortunately, this necessary step may cause
compatibility problems resulting in the inability for customers to pay
with PayPal on your site or other processing issues.

We wouldn't have been able to extend our support of SSL 3.0 to December
3, 2014, at 12:01 a.m. PST if we hadn't also been able to take
significant steps to migrate the risk of this vulnerability for our
customers. We want to assure our customers we have seen no evidence that
the SSL 3.0 issue has led to any compromise of security at PayPal.

Keeping our customers' accounts, data and money secure is PayPal's top
priority and a guiding principle when we make challenging decisions,
like this one.

We're here to help our merchants through this process. We've put
together a comprehensive Merchant Response Guide [1] to ensure systems
are secure from this vulnerability.

WHAT DO I NEED TO DO?

If you don't manage website integrations for your business, we strongly
encourage you to work with your website service partner (developer,
hosting company or e-commerce platform, etc.) and share the Merchant
Response Guide [1], which provides the basic guidelines on how to update
to Transport Layer Security (TLS). If your website service has questions
or need support, advise them to contact our Merchant Technical Support
[2].

Thank you for your prompt attention to move this issue and understanding
of our approach. Though we recognize this necessary step may cause
compatibility issues, we can't stress enough that this short-term
inconvenience is heavily outweighed by our joint promise to our
respective customers that we will keep their accounts and financial
details safe. We plan to keep our customers up to date on how we are
addressing this issue via the appropriate channels, including PayPal
Forward [3], our Twitter handle [4], Customer Service [5] and for
merchants, through our Merchant Services team.

For technical assistance, please call 855-489-0342.

We appreciate your patience and understanding as we work around the
clock to better serve you and keep you and our consumers safe.

                 Help [6] Contact [7]Fees [8] Security [9] Features [10] Shop [11]

Please do not reply to this email. We are unable to respond to inquiries
sent to this address. For immediate answers to your questions, visit our
Help Center by clicking "Help" on any PayPal page.

© 2014 PayPal Inc. All rights reserved. PayPal is located at 2211 N.
First St., San Jose, CA 95131.

Call
Send SMS
Add to Skype
You'll need Skype CreditFree via Skype

Links:
------
[1] https://ppmts.custhelp.com/app/answers/detail/a_id/1147
[2] https://ppmts.custhelp.com/
[3] https://www.paypal-community.com/t5/PayPal-Forward/bg-p/PPFWD
[4] https://twitter.com/AskPayPal
[5] https://www.paypal.com/us/webapps/helpcenter/helphub/home/
[6] https://www.paypal.com/us/cgi-bin/webscr?cmd=_help
[7] https://www.paypal.com/us/cgi-bin/webscr?cmd=_help&t=escalateTab
[8] https://www.paypal.com/us/webapps/mpp/paypal-fees
[9] https://www.paypal.com/us/webapps/mpp/paypal-safety-and-security
[10] https://www.paypal.com/us/webapps/mpp/about-paypal-products
[11] https://shopping.paypal.com/index

2 个答案:

答案 0 :(得分:0)

不,问题与POODLE漏洞有关,这导致我们在您调用PayPal API时禁用基于SSLv3的验证。

当您向PayPal API发出请求时,系统会尝试确保您实际上正在与PayPal通话,而不是其他人。为此,我们使用SSLv3协议加密一些数据。现在,当Google发现SSLv3的错误时,我们正在升级到TLSv1。

为此,您需要按照https://ppmts.custhelp.com/app/answers/detail/a_id/1182

中显示的步骤操作

根据您正在使用的语言,更改可能会有所不同。修复非常简单,但是,现在是将整个SDK升级到可能有更多修复和功能的最新版本的好时机。

答案 1 :(得分:0)

只要你的框架链接到最新的SSL实现,你应该没问题。

例如,如果您拥有最新版本的OpenSSL 0.9.8分支,则它还支持旧协议(包括SSLv3)的TLSv1。

如果您拥有最新的OpenSSL 1.0.1,它除旧协议外还支持TLSv1,TLSv1.1和TLSv1.2。

但是如果您使用的是没有TLS支持的旧版本,那么您必须升级才能将其与PayPal一起使用。

AFAIR,PayPal Express Checkout允许您有一个按钮,因此您的买家将被重定向到PayPal网站,并在那里处理付款。在这种情况下,所有加密都由PayPal完成。 诀窍在于买家回到您身边确认订单。您需要确保您的网站可以使用https与TLS系列协议与PayPal通信。