This page outlines some simple precautions you can take to make paying via the Internet a safe and painless experience. If you’re not used to making online payments, please review the questions and answers below for guidance and reassurance. To avoid potential problems, we deal only with well-established reputable organisations that use strong encryption and have acceptable security and privacy policies. PayPal meets these criteria.
Internet Explorer supports 128-bit encryption as standard from Version 5.5 onwards. Earlier versions of Internet Explorer support only 40-bit encryption by default.
If you are using Internet Explorer, select Help > About Internet Explorer and check the displayed “Cipher Strength”. If this is less than 128-bit, for maximum security you should upgrade to 128-bit encryption by installing the Internet Explorer High Encryption Pack from Microsoft.
Many people worry about sensitive information, such as passwords or credit card numbers, being intercepted or recorded as it passes across the Internet. In reality this is not a significant risk provided that you send information only to secure web servers. Information sent to or from secure web servers is encrypted using SSL to prevent eavesdroppers from being able to read it.
The main risk is from unwanted pieces of malicious software (worms, viruses or trojan horses) running on your own computer. Typically these arrive disguised as e-mail attachments and covertly install themselves when you try to open the attachments. Some of them may log your keystrokes before they are encrypted and secretly transmit them over the Internet for analysis by a remote program. To protect against this, ensure that you have installed and enabled anti-virus software from a reputable supplier such as Symantec (Norton) or Network Associates (McAfee). In addition, before entering sensitive information, ensure that the virus definitions used by your anti-virus software are up to date, by downloading the latest update from the Internet if necessary.
Check the address box near the top of the browser window. The address of a secure web page starts with “https:” (note the “s” for “secure”). The address of a non-secure web page normally starts with “http:” (with no “s”).
(Internet Explorer) Check the status bar near the bottom of the browser window. A locked padlock indicates a secure page. Double-click on the padlock to view the site certificate. A non-secure page has no padlock on the status bar.
(Netscape) Check the status bar near the bottom of the browser window. A locked padlock or solid key indicates a secure page. An open padlock or broken key indicates a non-secure page.
Don’t enter sensitive information into a web page unless you are confident that it’s a secure page. Don’t assume that a web page is secure if you cannot see the status bar.
A digital certificate is a small electronic document used for two different purposes: encryption and authentication. Encryption prevents messages from being altered in transit or read by anyone other than the intended recipient. Authentication confirms that the person or website you are dealing with is genuinely who they claim to be. Digital certificates are issued by trusted third parties called certification authorities. Well-known certification authorities include VeriSign and Thawte.
A root certificate is a top-level certificate used to validate other certificates such as those used by secure websites. Root certificates are normally pre-installed in your web browser, but if you have an older browser you may sometimes need to install a new root certificate yourself (see Question 4.1). In Internet Explorer you can view the installed root certificates by selecting Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities.
SSL stands for Secure Sockets Layer. This is a protocol used to encrypt information for transmission over the Internet so that it cannot be read or altered by a third party. Encryption is done using a session key which is created when you connect to a secure web server. The size of the session key (measured in bits) determines how hard it is to break the encryption – each extra bit doubles the average time needed to decipher an encrypted message by brute force. The most commonly used key sizes are 40 bits (also known as “weak encryption”) and 128 bits (also known as “strong encryption”). The most powerful computers currently available can break 40-bit encryption within hours whereas to break 128-bit encryption by brute force would take them much longer than the expected lifetime of the universe. 128-bit encryption is now the norm for commercial Internet transactions.
You may see this message if you access the PayPal secure website using an older browser. The reason is that Paypal’s certificate depends on a root certificate issued by VeriSign which expires on 2 August 2028. Older browsers have an earlier version of this root certificate which expires on 8 January 2004. Although the earlier version of the root certificate is still valid, it does not authenticate the PayPal certificate because the PayPal certificate expires after 8 January 2004. This particular failure does not affect the encryption of messages, so in this case it is still safe to proceed with the transaction (although in general you should take certificate warnings very seriously).
To eliminate the warning message, update the root certificate used by your browser as follows:
Never install certificates from the Web unless you are confident that they are genuine. You can be confident in this case because the certificate comes directly from the secure website of VeriSign Inc., a reputable certification authority.