2

Stripe is a payment processing service which works more or less like this:

  • A user visits our web application and fills in their card details in a form
  • Some JavaScript provided by Stripe and loaded within a <script> tag on the page makes an asynchronous request to Stripe's servers, which exchange the card details for a token
  • The token is posted to our application backend, which sends it back to Stripe. This causes a charge to be made at the user's bank

Our server is only allowed to communicate with Stripe's API over TLS 1.2.

However, the Stripe front end JavaScript supports IE9 and IE10, which do not handle TLS 1.2 out of the box. Therefore, some users on these browsers will request the Stripe JavaScript using the weaker TLS 1.0.

What's to stop someone spoofing the Stripe JavaScript for these users and man-in-the-middling their card details?

djb
  • 5,591
  • 5
  • 41
  • 47

1 Answers1

3

Good question!

The PCI Security Standards Council set the TLS 1.0 cutoff date to June 30, 2018 [1].

In an effort to make the transition easier, Stripe started enforcing TLS 1.2 for accounts created after July 1, 2016 [2] and is progressively phasing out support for TLS 1.0 and 1.1 for older accounts.

That said, for client-side libraries (Checkout and Stripe.js), Stripe still allows TLS 1.0 / 1.1 as you noted. This is because Stripe doesn't want to unnecessarily prevent customers from paying, even if they're using older browsers / OS that are not capable of using TLS 1.2.

Of course, by June 30, 2018, customers using a TLS 1.0 browser will no longer be able to pay via Stripe (or any other online payment processor).

Ywain
  • 16,854
  • 4
  • 51
  • 67