Did you receive a confusing email from PayPal about their SSL upgrade? Here’s what you need to know.

PayPal logo

TL;DR:

You don’t need to do anything if we host your website.

Long version:

Let’s face it, PayPal does itself no favours in terms of getting its official, legitimate emails to not look like spam or phishing emails.

You’re always told that any PayPal email will address you by name. You’re told to hover over any links in an email to see their destination before clicking on them, and if in any doubt at all, not to click them. Under no circumstances do you open an attachment from a sender you don’t know, or are suspicious of.

Last night, PayPal sent out an email to what looks like all of its business customers with the subject “IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades.”.

Immediately, this screams “phishing email”. The email is full of technical jargon, the type you’d find trying to blind you with science in a phishing email.

It has links in the text, unusual for PayPal. On hovering over the link with a mouse, it turns out the link’s destination is on a domain called paypal-knowledge.com, not the well-known paypal.com you’d expect. There are other discrepancies with this email too but you wouldn’t know about them unless you went digging into the header.

A quick Google search revealed that half the internet thought it was fake and the other half thought it was real. Either way, not many people understood what it was about.

The email is legitimate

It was sent by PayPal. We know because we called PayPal and spent half an hour chatting to them about it. The email is regarding the process that PayPal is currently going through to upgrade their SSL certificate.

In layman’s terms, SSL is the process used to encrypt data as it travels across the internet. It is particularly important for financial organisations such as PayPal to keep their traffic encrypted so nobody’s data, ie credit card numbers and other sensitive data, is intercepted in transit and copied for nefarious purposes. SSL stands for Secure Sockets Layer and is, technically, an old technology. TLS (Transport Layer Security) has since superceded it but it’s all still referred to under the catch-all banner of SSL.

An SSL certificate is issued by a trusted authority to vouch for the authenticity of the site you’re connecting to. A site with an SSL certificate will display the padlock icon in the address bar, like on this site. Different levels of SSL certificate exist, giving different levels of online trust. The most secure certificates are required for financial organisations and it can take some time for the issuing authority to grant the certificate while they verify the identity of the site.

New security technology

As web technology evolves, as do the various security methods available. PayPal is currently upgrading its SSL certificate. The current certificate uses an algorithm called SHA-1 to encrypt data. The new certificate uses SHA-256, part of the SHA-2 family of algorithms, which is much more secure.

However, using SHA-256 requires a website’s server to be able to communicate with it. And this is what PayPal’s email is about. Servers that have not had their own security upgraded won’t be able to connect securely. PayPal will refuse the insecure connection. Customers trying to buy from an e-commerce site on the server won’t be able to checkout.

The required server security upgrade is the installation of VeriSign G5 Root Certificate. This will enable the server to connect securely to a website using a SHA-256 SSL certificate.

If you host your website with McGregor Media, you’ll be glad to know that the VeriSign G5 Root Certificate is installed on both of our servers. Clients need do nothing – it’s all taken care of.

Further reading

For more information, see PayPal’s Merchant Security System Upgrade Guide or visit their 2015-2016 SSL Certificate Change Microsite.