cancel
Showing results for 
Search instead for 
Did you mean: 

PayPal Endpoint certificate upgrade - SHA-256 encryption

New Community Member

Re: I'm unclear what PayPal message means

Hope you get a response to this Ray, I received the email also.  I forwarded it to the Paypal spoof check email address.

 

If it is real, I do not know what changes I even need to make.  I do get Instant Payment Notifcations.

 

Any help out there on this topic would be greatly appreciated.  I'll follow up if I hear anything back from Paypal.

 

Regards,

Kimberly

New Community Member

Re: I'm unclear what PayPal message means

Received confirmation from PayPal today, the email is legit.

 

I'm in the clear, but I think I will create a new copy/paste Paypal button and compare it to the one I currently use.  Maybe some changes in the code?

 

Good Luck all, and ty to the member marble, your post was very informative.  Nice that you took the time.

 

Kimberly

Member

Re: I'm unclear what PayPal message means

I received it also.  I would like to know if it is a spoof or for real.  If for real, what Immediate things must I do???

New Community Member

Re: I'm unclear what PayPal message means

I also received that email and I forwarded it to spoof@paypal. I'm pretty sure that it's bogus.

DonR

New Community Member

Re: I'm unclear what PayPal message means

It's not bogus, but it's also nowhere near as scary as it is written to be. Read their blog post over on https://devblog.paypal.com/paypal-ssl-certificate-changes/ for a slightly friendlier version.

 

The quote from there that I suspect you're all after however is:

 

"Upgrading is not required if you are using Website Payments Standard (the “Buy Now” buttons), or Payflow webapps only."

 

Now, I'm just a web developer and no security expert but from what I can gather they're not going to be supporting any sites or servers that are using old encryption methods any more and unless you've written your own PayPal integration you shouldn't need to do much with your software other than make sure its up to date.

 

To determine if you need to do anything with your certificates or server:

 

Does your website use https instead of/as well as http?

If your site does use https, this may afect you. Keep reading. If no, you're in the clear and shouldn't need to change anything. If you're not sure, move on to the next step.

 

Does your server support SHA-2?

This is starting to get technical, but the test is pretty simple. Visit https://shaaaaaaaaaaaaa.com and enter your website's address.

 

If it comes back saying it can't connect you may not support https at all on your site and the changes won't affect your site.

 

If it tells you if your site/server supports the newer SHA-2 then you're all done. If it tells you you're using SHA-1 then you need to make some changes.

 

Chances are the biggest change you'll need to make is to order a new certificate (help can be found on the shaaaaaaaaaaaaa.com website). Worst case you may need to move your site to a more secure server.

 

If you want a more thorough test, you can fire your site at www.ssllabs.com/ssltest/analyze.html

 

If anyone with better security experience wants to correct me or clarify any of this I'd be glad to hear it!

Member

Re: I'm unclear what PayPal message means

Spoof@paypal.com says it is NOT legit and links in email are phishing links 

Member

Re: I'm unclear what PayPal message means


marblegravy wrote:

 

Does your website use https instead of/as well as http?

If your site does use https, this may afect you. Keep reading. If no, you're in the clear and shouldn't need to change anything. If you're not sure, move on to the next step.

 

Is this a quote from PayPal, or your own statement? If your own, can you refer to something which confirms that IPN over plain HTTP is going to be supported?

 

This feels like it should be a FAQ, since I think many sites will be using IPN over HTTP.

Tags (3)
New Community Member

Help! What Does This Mean - in Plain English? IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades

Hi Folks! Got the email shown below and would like to know if anyone received the same and/or understands it. Any insight would be greatly appreciated!!!

 

As we have previously communicated to you, PayPal is upgrading the certificate to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Thanks for your patience as we continue to improve our services.

New Community Member

Re: Help! What Does This Mean - in Plain English? IMMEDIATE ATTENTION REQUIRED: PayPal service upgra

I got it as well; unfortunately I don't quite understand it either.  Smiley Sad

Member

Re: Help! What Does This Mean - in Plain English? IMMEDIATE ATTENTION REQUIRED: PayPal service upgra

I received the same message.  I have no idea.  I can not find anything on the site to help me.  If it is so Immediate why don't they have info on it?