This is just a small public service announcement for any web developers or eCommerce website owners using PayPal Express Checkout to accept payments on their websites: don’t redirect your users to paypal.com, make sure you use www.paypal.com instead!
The reason is quite simple (and stupid): PayPal uses different SSL security configurations for the vanilla paypal.com domain and the www.paypal.com subdomain – and the former is incompatible with a lot of older PCs and operating systems, meaning your users will get an error message instead of being presented with the checkout options!
What makes this a particularly egregious crime is that requests to the plain-jane paypal.com are redirected to www.paypal.com, which as anyone can tell you, makes the “enhanced security” on the plain top-level domain completely useless. When dealing with online security, you would generally redirect from insecure to more-secure, allowing you to filter out requests, display compatibility error messages, etc. before switching to higher level of security for your sensitive transactions.. but not so with PayPal!
Here are the screenshots of the compatibility of PayPal’s SSL configuration for the two domains, as tested with SSL Labs’ awesome online SSL testing service:
First, the results for www.paypal.com ((As retrieved on July 22, 2016, [test again]))
And now the results for the top-level paypal.com domain ((As retrieved on July 22, 2016, [test again]))
See the massive difference?! The SSL configuration for www.paypal.com supports pretty much all but the very oldest of clients; only users running IE6 on Windows XP (yes, they’re still out there *sigh*) will have problems connecting… but the plain top-level paypal.com domain will reject connections from basically all Internet Explorer users (all the way through Internet Explorer 10 on Windows 7!), with only IE11 still supported. In addition, Android users running anything below 4.4 won’t be able to connect, nor will any Windows Phone 8 users, or users of OS X 10.8 and below.
Do yourself a favor and check your website right now (not just the static links to PayPal.com but also the API redirect URLs for the PayPal Express Checkout API) and make sure that you’re sending your users to www.paypal.com and not the TLD paypal.com – that’s a lot of sales you probably can’t afford to miss out on.