Does anyone know anything about this? I use the standard PayPal checkout...?
As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.
This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.
You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!
Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.
Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.
It's about the certificates they use. If you use IPN, then your site (server) needs to support SHA-256 encrypted certificates.
if you don't use IPN then it doesn't apply.
If you do, contact your hosting and ensure that they have the proper cyphers and protocols installed on your server to support any incoming request from PayPal IPN.
I have taken a look at what PayPal is saying and researched the matter and I would like to start off by pointing out that PayPal is not referring to a GlobalSign Certificate.
The domains themselves are indeed secured by GlobalSign, however, when actively using PayPal on that website, it switches to a different secure connection which is using a VeriSign certificate. So the GlobalSign Certificate secures the Website, but the VeriSign one secures the data between the Website and PayPal.
What PayPal is saying here, is that they will no longer be using the Verisign G2 Root Certificate and that all websites that use this certificate to connect to PayPal must be updated to the G5 one. My recommendation there would be to contact PayPal as they should know exactly what the procedure here is.
Tony you are talking about IPN is that not an old protocol and similar to PayPal Express ?
Since we manage our own server I guess if you are right I have some work to do.
But we can be sure that CS Cart V4.3.3 and above are OK with this new protocol ?
IPN has been around forever. It just wasn't supported in cs-cart until recently.
This really has nothing to do with cs-cart. By the time cs-cart gets any of the data it has already been decrypted by the system. So the issue is whether your system supports SHA-256 cyphers and the proper CA Bundles (Certificate Authority Bundles). The vast majority of servers running operating systems that have been updated in the past 2 years will have the proper support.
To test your site for raw SHA-256 support, SSH into your site and run the following. You should see results in same format. Odds are that if you don't have SHA-256 available on your server, you won't even have the sha256sum command.
As it relates to the certificates themselves, there are 2 "CA Bundles" on most servers. One for the base server that handles most all requests and then there is one for CURL. CURL is what's mostly used to connect to paypal. However, this has nothing to do with IPN since IPN is an inbound request and does not use CURL.
So your system needs to have both the raw cypher support (SHA-256) AND the proper "CA Bundle" (Certificate Authority Bundle) that allows the data to be decrypted based on the sender's certificate and the receiver's CA Bundle.
I know this is way confusing but that's half the point of encryption is to make it overly complicated.
Simple answer is to ask your hosting to ensure that your server:
has SHA-256 cyphers installed
has current CA Bundles for GeoTrust and other "authorities" installed.
Yes, that can work too. But note that a site can be a valid SHA256 certificate but not show it for the end-point, but instead you have to look at the "Details" tab to find that the SHA256 cyper is used.
Different "Authorities" will put different things in the name/path that they display.
Two of the three are clear (Google is okay and Amalzon uses obsolete cnypers) and Yahooo (Symantec) only shows the protocol (TLS 1.2) and not the cypher. They all use different "Authorities" so it seems to be "authority dependent" on what information is actually shown in the certificate info.
Being a techy nerd, this was an interesting pursuit.
It is due to your server accepting rsa connections.
For pci compliance, rsa must be disabled along with ssl2 and ssl3 and tls 1.1. But if you’re not required to be pci compliant I wouldn’t worry about it. Nothing for them to steal if no cardholder data on your site.