Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Paypal Ipn Chages? Rate Topic   - - - - -

 
  • JackConnick
  • Senior Member
  • Trial users
  • Join Date: 03-Jun 12
  • 295 posts

Posted 10 September 2015 - 08:45 PM #1

Does anyone know anything about this? I use the standard PayPal checkout...?

 

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.
 
This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

 

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

 

TIA,

Jack



 
  • parodius420
  • Senior Member
  • Members
  • Join Date: 03-Dec 11
  • 611 posts

Posted 10 September 2015 - 09:13 PM #2

Was getting ready to post the same thing.

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 10 September 2015 - 10:33 PM #3

It's about the certificates they use.  If you use IPN, then your site (server) needs to support SHA-256 encrypted certificates.

if you don't use IPN then it doesn't apply.

 

If you do, contact your hosting and ensure that they have the proper cyphers and protocols installed on your server to support any incoming request from PayPal IPN.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Mongoose
  • Senior Member
  • Members
  • Join Date: 08-Mar 13
  • 985 posts

Posted 11 September 2015 - 10:08 AM #4

@tbirnseth

 

Tony you are talking about IPN is that not an old protocol and similar to PayPal Express ?

 

Since we manage our own server I guess if you are right I have some work to do.

 

But we can be sure that CS Cart V4.3.3 and above are OK with this new protocol ?


running CS Cart V4.10.3.SP1 


 
  • American
  • Member
  • Members
  • Join Date: 12-Feb 10
  • 108 posts

Posted 11 September 2015 - 03:47 PM #5

Sub'd. Same questions.


Brad G

CSC: 4.10.2


 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4644 posts

Posted 11 September 2015 - 04:27 PM #6

My host replied below

 

I have taken a look at what PayPal is saying and researched the matter and I would like to start off by pointing out that PayPal is not referring to a GlobalSign Certificate.
The domains themselves are indeed secured by GlobalSign, however, when actively using PayPal on that website, it switches to a different secure connection which is using a VeriSign certificate. So the GlobalSign Certificate secures the Website, but the VeriSign one secures the data between the Website and PayPal.
What PayPal is saying here, is that they will no longer be using the Verisign G2 Root Certificate and that all websites that use this certificate to connect to PayPal must be updated to the G5 one. My recommendation there would be to contact PayPal as they should know exactly what the procedure here is.


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • Ayokay
  • Junior Member
  • Members
  • Join Date: 12-Apr 11
  • 31 posts

Posted 11 September 2015 - 06:42 PM #7

Someone's gotta know the answer to this:

 

Does CS-Cart use PayPal's IPN?

Do CS-Cart store owners need to worry about this?

 

Thanks!



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 11 September 2015 - 07:00 PM #8

@tbirnseth

 

Tony you are talking about IPN is that not an old protocol and similar to PayPal Express ?

 

Since we manage our own server I guess if you are right I have some work to do.

 

But we can be sure that CS Cart V4.3.3 and above are OK with this new protocol ?

IPN has been around forever.  It just wasn't supported in cs-cart until recently.

 

This really has nothing to do with cs-cart.  By the time cs-cart gets any of the data it has already been decrypted by the system.  So the issue is whether your system supports SHA-256 cyphers and the proper CA Bundles (Certificate Authority Bundles).  The vast majority of servers running operating systems that have been updated in the past 2 years will have the proper support.

 

To test your site for raw SHA-256 support, SSH into your site and run the following.  You should see results in same format.  Odds are that if you don't have SHA-256 available on your server, you won't even have the sha256sum command.

root@vpsXXXX [functions]# sha256sum /etc/passwd
21cec58435540b623bff2bba1b2d13811bb41749df0739XXXXX4b6229de4ed2  /etc/passwd

 

As it relates to the certificates themselves, there are 2 "CA Bundles" on most servers.  One for the base server that handles most all requests and then there is one for CURL.  CURL is what's mostly used to connect to paypal.  However, this has nothing to do with IPN since IPN is an inbound request and does not use CURL.

 

So your system needs to have both the raw cypher support (SHA-256) AND the proper "CA Bundle" (Certificate Authority Bundle) that allows the data to be decrypted based on the sender's certificate and the receiver's CA Bundle.

 

I know this is way confusing but that's half the point of encryption is to make it overly complicated. 

 

Simple answer is to ask your hosting to ensure that your server:

  1. has SHA-256 cyphers installed
  2. has current CA Bundles for GeoTrust and other "authorities" installed.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 962 posts

Posted 12 September 2015 - 01:41 PM #9

Here was I thinking that just checking out the padlock was enough...lol

Attached Thumbnails

  • ssldetails.jpg


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 12 September 2015 - 08:33 PM #10

Yes, that can work too.  But note that a site can be a valid SHA256 certificate but not show it for the end-point, but instead you have to look at the "Details" tab to find that the SHA256 cyper is used.

 

Different "Authorities" will put different things in the name/path that they display.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 12 September 2015 - 09:58 PM #11

As an experiment, I looked around at a few public sites at what the browser padlock shows as the encryption method.  Take a look at

https://google.com

https://amazon.com

https://yahoo.com

 

Two of the three are clear (Google is okay and Amalzon uses obsolete cnypers) and Yahooo (Symantec) only shows the protocol (TLS 1.2) and not the cypher. They all use different "Authorities" so it seems to be "authority dependent" on what information is actually shown in the certificate info.

 

Being a techy nerd, this was an interesting pursuit.


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • tangmo12
  • Newbie
  • Members
  • Join Date: 10-Jun 14
  • 13 posts

Posted 13 September 2015 - 01:02 PM #12

So there is nothing to do with CS-CART,right? Just make sure that the hosting server support SHA-256. Is my understanding correct?



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 13 September 2015 - 06:10 PM #13

It is a site security certificate issue.

Use the Padlock method above to check your site and then view the Details tab after View Certificate.

If it shows SHA256 as one of the "Fingerprints" or other indication that SHA256 is used

Or ask your hosting company to verify that SHA256 is supported by your site certificate and the underlying CA Bundle on your system.

 

Sorry, it's a difficult topic to explain completely in easy to understand terms (or at least it's beyond my capability).


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 962 posts

Posted 13 September 2015 - 10:40 PM #14

How does this look ??

Attached Thumbnails

  • ssldetails.jpg


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 14 September 2015 - 06:08 PM #15

From a papyal perspective you are good to go (your signature hash is SHA256)

From a PCI compliance standpoint you need to get rid of RSA as a protocol (it's now considered insecure).


EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 962 posts

Posted 14 September 2015 - 11:38 PM #16

I don't accept direct credit card payments. Only PayPal or Bank Transfer.

Out of curiosity, is this PCI non-compliance due to my SSL Certificate

or CS-Cart's 4.3.3 design ?



 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11365 posts

Posted 15 September 2015 - 05:30 AM #17

It is due to your server accepting rsa connections.

For pci compliance, rsa must be disabled along with ssl2 and ssl3 and tls 1.1. But if you're not required to be pci compliant I wouldn't worry about it. Nothing for them to steal if no cardholder data on your site.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • IsItFast
  • Senior Member
  • Members
  • Join Date: 16-Sep 08
  • 547 posts

Posted 28 September 2015 - 08:04 PM #18

Disregard.


V4.3.1 with about 10,000 highly customizable products. Several mods done....some of which now come standard with CS now. (Started with V1.3.5)

V3.0 in a few other small stores.