## Using TLS and HTTPS

TLS refers to the process of securely transmitting data between the client—the app or browser that your customer is using—and your server. This was originally performed using the SSL (Secure Sockets Layer) protocol. However, this is outdated and no longer secure, and has been replaced by TLS. The term “SSL” continues to be used colloquially when referring to TLS and its function to protect transmitted data.

Payment pages must make use of a modern version of TLS (e.g., TLS 1.2) as it significantly reduces the risk of you or your customers being exposed to a man-in-the-middle attack. TLS attempts to accomplish the following:

Encrypt and verify the integrity of traffic between the client and your server Verify that the client is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that you’re encrypting traffic to the right recipient. Additionally, your customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase your customer conversion rate.

If need be, you can test your integration without using HTTPS, and enable it once you are ready to accept live charges. However, all interactions between your server and Affirm must use TLS 1.2 (i.e., when using our libraries).

## Supported Ciphers

**Current List of Supported Ciphers as of 7/2/2018**

• ECDHE-ECDSA-AES128-GCM-SHA256

• ECDHE-RSA-AES128-GCM-SHA256

• ECDHE-ECDSA-AES128-SHA256

• ECDHE-RSA-AES128-SHA256

• ECDHE-ECDSA-AES256-GCM-SHA384

• ECDHE-RSA-AES256-GCM-SHA384

• ECDHE-ECDSA-AES256-SHA384

• ECDHE-RSA-AES256-SHA384

• AES128-GCM-SHA256

• AES128-SHA256

• AES256-GCM-SHA384

• AES256-SHA256

[AWS: Supported Protocols and Ciphers](🔗)

[AWS: Predefined SSL Security Policies](🔗)