Find the answer to your question
Updated December 22, 2016: Apple just announced that they are extending the deadline for this change. As of today, they have not specified a new deadline. We will update the dates below when the information is available herself. Please see the latest from Apple for more information here:
Starting in mid-January, listings that include files hosted on non-compliant domains will not show up correctly on eBay sites, when viewed on the latest iOS apps (including eBay’s apps), until those domains are updated to be compliant with Apple’s standards.
We recommend that you act now to make sure your domain and/or listings are fully compliant with Apple’s requirements by mid-January, 2017
What is changing with Apple security?
Apple provides a security feature called App Transport Security (ATS) to all iOS apps and app extensions. ATS is enabled by default and ensures all HTTPS connections use industry recommended standards.
See details below for how to determine whether a domain is compliant with these security standards.
Is this related to eBay’s active content requirements or links policy?
Whether you include content on your own web pages or in your eBay listings (or elsewhere), if that content is hosted on a non-compliant domain, the content will not render properly on ATS-compliant devices and applications.
Is eBay requiring me to make this change?
This is not an eBay requirement. Content hosted on non-compliant websites may be affected when accessed via any ATS compliant device or application.
We are informing you as a courtesy, to make sure you are aware of how this industry change might affect your business, including your eBay listings.
Exactly how does this security change affect a seller’s listings?
Starting in mid-January, if you have customized item description or other content that includes images, links, and other URLs on hosting sites are not ATS compliant, these images and links will not work as expected on devices and applications that meet the ATS standard.
- Images hosted on a non-compliant domain will not be displayed, and buyers may see a broken placeholder image.
- Listings with templates that use Cascading Style Sheets (CSS) hosted on a non-compliant domain may not render your text, headers, tables, and fonts correctly on compliant iOS applications—or they might not show up at all and buyers may see an error message
- Links to non-compliant domains may not resolve when buyers click them.
Scenario 1: Content on a compliant domain renders completely.
Note that if you still use HTTP, it may continue to work for some period; but we recommend that you move to HTTPS as soon as possible.
Scenario 2: Image/CSS links in description are hosted on a non-compliant domain. Images do not render.
Scenario 3: External link to a non-compliant domain may display an error when clicked.
How widespread is this issue?
ATS is becoming an industry standard. This issue currently applies to all iOS9 apps (and higher), and most other mobile operating systems are already or will soon be adopting similar security requirements as well.
On eBay, less than 1% of all eBay listings contain links to domains that are not ATS-compliant. As your domain has been identified as non-compliant, we want to make sure that you and any sellers you support are aware, so that you can take corrective actions and avoid impacting your customers’ sales.
How do I know if a hosting domain is ATS compliant?
There are various ways to test the SSL configuration of an endpoint to meet ATS requirements. Here are some examples:
1. NSCurl (a Method Offered by Apple)
nscurl --ats-diagnostics [--verbose] <URL>
Reference: NSCurl Diagnostics
2. Qualys SSL test: https://www.ssllabs.com/ssltest/
This test checks for "Apple ATS 9 / iOS 9” ATS requirements. Example:
3. High-Tech Bridge SSL Test: https://www.htbridge.com/ssl/
· If you plan to continue hosting images, CSS, or linked content on your domain, update your system to be compliant with the latest security standards (see below). If you do not have administrator access to your domain, you may need to contact your domain provider for assistance.
· If you host listing content created by other sellers, inform your customers whether they need to change their listings, or whether you will be updating your domain to be ATS-compliant.
· Consider removing the photos from your listing description and uploading them to eBay picture services. Remember, you can upload up to 12 photos per listing for free using the eBay photo uploader or via the Trading API.
How do I update my domain to be compliant?
As a best practice, update to the latest security protocols that are required by browsers and devices you intend to support, including Apple iOS.
For example, for HTTPS connections with App Transport Security the following must be met:
1. TLS 1.2 Protocol
2. ECDHE based PFS ciphers
3. CA Certs with SHA 256 and RSA 2048
For details please refer to Apple’s Documentation:
Other devices and browsers may specify different requirements.
Please note that eBay might not monitor your domain’s ongoing compliance with the latest industry standards. We suggest that you keep your servers/systems up to date as a best practice.
Also keep an eye on our Knowledge Base article for further information and ongoing tips as these changes go into effect:
If you cannot update your domain or system by mid-January, here are some alternatives that can help buyers view your listings correctly in the meantime:
· Most secure: Move the content to an ATS compliant domain, and update your listings and templates accordingly.
· Best page load performance: Completely remove the non-compliant URLs from your listings and templates.
· If you use HTTP: If you still use HTTP instead of HTTPS, your existing links may continue work within item descriptions and within mobile web contexts for some period. However, please be aware that HTTP URLs may not work in all native app contexts, once an app is ATS-compliant. Thus, your customers may experience unexpected failures with HTTP URLs, even if the same URLs appear to work correctly within their listing descriptions. As more browsers and devices are shifting to require the latest security standards over time, HTTP is not recommended long-term.