Security - just had a call from paypal - READ THIS!

14 replies
I just had a phone call from paypal telling me that from january 12th they are stopping processing payments from sites that support SSL 3.0

I've run a check on my own sites and a few others and all have the SSL 3.0 vulnerability

This is related to the "Poodle" Vulneralbility


there is more details here

https://www.paypal-community.com/t5/...al/ba-p/902239

I am not tryiung to be alarmist but as i missed all the emails they sent me I am sure some others have!

I tested my site and other at: https://www.poodlescan.com/

I would appreciate any input from anyone in the know
#call #paypal #read #security
  • Profile picture of the author PerformanceMan
    You don't have to use SSL V3. It can be easily 'downgraded' in the server configuration file for most servers. That would be the easiest solution.
    Signature
    Free Special Report on Mindset - Level Up with Positive Thinking
    {{ DiscussionBoard.errors[9789710].message }}
  • Profile picture of the author M Thompson
    Thanks,

    My tech sent me some other sites to check with

    https://www.tinfoilsecurity.com/poodle

    https://poodlebleed.com/
    Signature


    If you are serious about online marketing come and Join our free community The Foundation
    {{ DiscussionBoard.errors[9791050].message }}
  • Profile picture of the author laurencewins
    I find it odd that somebody "claiming" to be from PayPal would ring you. They usually send emails if it is important. Have you checked the validity of the call?
    Signature

    Cheers, Laurence. Writer/Editor/Proofreader.
    Visit my site for more info

    {{ DiscussionBoard.errors[9791752].message }}
    • Profile picture of the author M Thompson
      Originally Posted by laurencewins View Post

      I find it odd that somebody "claiming" to be from PayPal would ring you. They usually send emails if it is important. Have you checked the validity of the call?
      Yep, it was my business rep, I'd had a few emails from them in early December that I'd ignored.
      Signature


      If you are serious about online marketing come and Join our free community The Foundation
      {{ DiscussionBoard.errors[9791776].message }}
  • Profile picture of the author laurencewins
    OK, Mark. I am glad that it was a genuine call at least.
    Signature

    Cheers, Laurence. Writer/Editor/Proofreader.
    Visit my site for more info

    {{ DiscussionBoard.errors[9791782].message }}
  • Profile picture of the author John_3771
    Yeah, I got a call from Paypal this morning and it was definitely legit. I'm still looking into the best solution to this problem. It must be a pretty big concern that they have because they never usually call me. Thanks Mark for the links, especially the top one where you can run a simple scan on your domain names to see if you have a problem.
    {{ DiscussionBoard.errors[9792845].message }}
  • Profile picture of the author JPaston
    Thanks for the heads up, M Thompson et al, I've just checked my sites using poodlescan.com and they all fall foul.

    The good news is that if you check warriorforum.com and warriorplus.com they are 'not vulnerable' so WSOs are good to go if you use these payment methods in conjunction with Paypal.

    The next question is what to do about it one's own site? I'll be checking with Hostgator support.
    {{ DiscussionBoard.errors[9793662].message }}
  • Profile picture of the author nizamkhan
    Thansk for this info. I scaned my site with poodlescan.com and it's says "This server does NOT support the SSL v3 protocol.", that's fine. But, what if the server supports SSL v3? Do we need to contact our hosting provider?

    - Nizam
    {{ DiscussionBoard.errors[9794467].message }}
  • Profile picture of the author Mark Hess
    Mark, thanks for bringing this to our attention, I sort of blew off PayPal...

    I use PositiveSSL from NameCheap.

    WiredTree fixed it for me in about 10 minutes (I have several managed VPS through them): 2015-01-07_0757 - MarkHess's library

    Apparently they did something with the CA bundle I received when I purchased the certificate and the server.

    If anyone else is having issues, contact your host.
    Signature
    {{ DiscussionBoard.errors[9794503].message }}
  • Profile picture of the author rodonet
    Surprise, surprise:
    Payspree.com, Click2sell.eu and Jvzoo.com are shown as "vulnerable" on Poodlescan.

    Zaxaa.com and Warriorplus.com are "not vulnerable".
    {{ DiscussionBoard.errors[9794664].message }}
  • Profile picture of the author ghost209
    thanks for the heads up!
    {{ DiscussionBoard.errors[9794745].message }}
  • Profile picture of the author kencalhn
    a big Thanks! for that heads-up, good to know; rebuilding apache config -ssl3
    {{ DiscussionBoard.errors[9794754].message }}
  • Profile picture of the author sbucciarel
    Banned
    Interesting. Google.com is vulnerable.
    Facebook is not.
    {{ DiscussionBoard.errors[9794978].message }}

Trending Topics