No announcement yet.

Background to The Internet Security Changes

  • Filter
  • Time
  • Show
Clear All
new posts

  • Background to The Internet Security Changes

    Over the next couple of years the security protocol used across the internet, and particularly for handling online payments, is being upgraded. Earlier protocols, SSL and TLS v1.0/1.1, are being replaced by TLS v1.2. At the same time at least one provider (PayPal) is enforcing an upgrade to the protocol used for information transfer, HTTP, to v1.1.

    This document provides some technical background to the changes, as affecting Sellerdeck users.

    HTTP & TLS

    Hypertext Transfer Protocol (HTTP) is the language used for the transfer of information across the internet. HTTP v1.0 is the original language of the internet and is still generally supported, but was officially replaced by v1.1 as long ago as January 1997.

    Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) enable two applications to communicate securely, protecting both the security of the user and the integrity of the information. They are often together referred to as ‘SSL’.

    The prefix ‘HTTPS’ in a site address indicates that it uses (originally) SSL or (more recently) TLS to transmit HTTP data securely.

    As computing power has increased over the years and hackers have found loopholes in older security protocols, newer and tougher versions have been developed. TLS v1.0 officially replaced SSL from June 2015, and was followed by v1.1. The latest version, v1.2, is already used by many applications.

    What’s changing

    From June 2017 application providers, including all payment gateways, will begin to withdraw support for older versions of TLS. This transition will be completed in June 2018. From that point on, only TLS v1.2 will be supported and all secure sites must support it.

    PayPal will be enforcing the change earlier, in June 2017. At the same time they will also withdraw support for HTTP v1.0, requiring all communication to take place using HTTP v1.1.

    At the moment, no other providers have suggested they will enforce HTTP v1.1. But all providers will enforce TLS v1.2 by June 2018.

    Will my site be affected?

    How this affects your site will depend on which Sellerdeck version you are using, and which services.

    For step by step instructions about what you need to do, see our advice document, 'The Internet Security Changes and Your Sellerdeck Site'.

    To understand more about the implications for each feature and service, please read the explanations below.
    1. Online Payments

      Regardless of the payment method used, support for TLS v1.2 in the online checkout depends on the web host. Sellerdeck Hosting servers are already being upgraded to support it.

    2. PayPal

      From 30th June 2017, at the same time as enforcing TLS v1.2, PayPal alone will also enforce the use of HTTP v1.1 for information transfer.

      Versions of Sellerdeck prior to v11.0.4 are unable to support HTTP v1.1. If you use PayPal to take online payments, then by 30th June 2017 you must be using Sellerdeck v11.0.4 or higher.

      For more information about your options in this case, see the final two sections of our guidance notes, 'The Internet Security Changes and Your Sellerdeck Site'.

    3. Sellerdeck desktop functions

      Desktop functions for the following services will all require support for TLS v1.2:

      1. Sellerdeck Payments (Commit, Refund, Void & Pay)
      2. PayPal (Capture, Refund & Void)
      3. GFS Integrated Shipping

      All of these require an upgrade to the PHP libraries embedded in earlier versions of Sellerdeck Desktop in order to support TLS v1.2.

      This upgrade was implemented in Sellerdeck 2016 (v16.0.2). If you are using this version or above, no further action is required.

    If you are using an older version, you must either upgrade your Sellerdeck software or download and run the Sellerdeck PHP upgrader. For more information about these two options, see our guidance notes, 'The Internet Security Changes and Your Sellerdeck Site', and refer to the relevant section for the version of Sellerdeck Desktop that you are using.