PSA: rejecting connections from Internet Explorer 10 and below!

PayPalThis is just a small public service announcement for any web developers or eCommerce website owners using PayPal Express Checkout to accept payments on their websites: don’t redirect your users to, make sure you use instead!

The reason is quite simple (and stupid): PayPal uses different SSL security configurations for the vanilla domain and the subdomain – and the former is incompatible with a lot of older PCs and operating systems, meaning your users will get an error message instead of being presented with the checkout options!

What makes this a particularly egregious crime is that requests to the plain-jane are redirected to, which as anyone can tell you, makes the “enhanced security” on the plain top-level domain completely useless. When dealing with online security, you would generally redirect from insecure to more-secure, allowing you to filter out requests, display compatibility error messages, etc. before switching to higher level of security for your sensitive transactions.. but not so with PayPal!

Here are the screenshots of the compatibility of PayPal’s SSL configuration for the two domains, as tested with SSL Labs’ awesome online SSL testing service:

First, the results for www.paypal.com1 client compatiblity client handshake compatiblity

And now the results for the top-level domain2 client handshake simulation client handshake compatibility simulation

See the massive difference?! The SSL configuration for supports pretty much all but the very oldest of clients; only users running IE6 on Windows XP (yes, they’re still out there *sigh*) will have problems connecting… but the plain top-level domain will reject connections from basically all Internet Explorer users (all the way through Internet Explorer 10 on Windows 7!), with only IE11 still supported. In addition, Android users running anything below 4.4 won’t be able to connect, nor will any Windows Phone 8 users, or users of OS X 10.8 and below.

Do yourself a favor and check your website right now (not just the static links to but also the API redirect URLs for the PayPal Express Checkout API) and make sure that you’re sending your users to and not the TLD – that’s a lot of sales you probably can’t afford to miss out on.

  1. As retrieved on July 22, 2016, [test again

  2. As retrieved on July 22, 2016, [test again

6 thoughts on “PSA: rejecting connections from Internet Explorer 10 and below!

  1. If you look higher in the SSLLabs report, I’ll be you find that that TLSv1.2 is disabled on — probably in preparation of moving to full PCI 3.1 compliance.

  2. @Raymond doesn’t the second screen capture show TLS 1.2 supported on

  3. Managed to write precisely the opposite. TLSv1.2 is enabled, but not TLSv1 or 1.1.

  4. Hi Mahmoud,

    I lead the developer advocacy effort over at PayPal. I’m sorry that you ran into this issue, but appreciate you bringing it up.

    Here’s what we did – I worked with the PayPal infosec team yesterday to take a look at the problem. What we did to try to resolve the issue was to duplicate the config settings on from, so both should be acting the same now (with the more inclusive settings).

    If you’re still seeing any problems, please do let me know and I can circle back.

    You can also contact me directly via the @paypaldev handle ( or my personal one (


  5. @Jonathan thank you for the quick and speedy response; I’ll ping you directly next time I find something (we’ve encountered other issues in the past and going through PayPal merchant support takes a while to flag a developer’s attention). However, I’m not seeing that the update has rolled out? A new test still reveals TLS 1.1 and 1.0 are disabled?

  6. @Mahmoud Apologies for the delay. It looks like the release was delayed from its original Friday deployment for a few reasons. The new release date was yesterday afternoon (PDT) and everything appears to now be duplicated in the config settings after running the tests. Let me know if anything else pops up, happy to help.

Leave a Reply

Your email address will not be published. Required fields are marked *