Will PayPal be upgrading THEIR own SSL cert?

OzWizard
Contributor
Contributor

PayPal's very own EV SSL certificate will be distrusted in an upcoming release of the Chrome browser.

 

The certificate used to load https://www.paypal.com/webapps/hermes?token=XXXXXXXXXXXXXX&useraction=commit&rm=2&mfid=XXXXXXXXXX uses an SSL certificate that will be distrusted in an upcoming release of Chrome. Once distrusted, users will be prevented from loading this resource. See https://g.co/chrome/symantecpkicerts for more information.

 

Symantec was lazy and issued invalid EV certificates, so Chromium decided to distrust their CA. Symantec ended up selling their PKI business to DigiCert.

 

Does anyone know when PayPal will be updating their EV certs to avoid disruption of services? The new DigiCert CA to replace Symantec's should be up no later than December 1. Why did PayPal even bother buying a Symtantec EV on 9/21/2017?

 

PayPal-Symantec-EV.png

Login to Me Too
12 REPLIES 12

Feraud
Contributor
Contributor

I asked myself the same question.

Login to Me Too

ewheelerinc
New Community Member

Maybe PayPal will become their own CA(!) but, for those running your own website: If you run a PayPal IPN website (or any SSL website for that matter), make sure your certificate is not affected by the Symantec SSL distrust that Chrome has created.  There is a test tool available here:  Check Your Website for Distrusted Symantec SSL Certificates

Login to Me Too

OzWizard
Contributor
Contributor

You don't have to fill out a form and submit your information to anyone. If using Chrome (the browser that is distrusting the certificates), simply hit F12 to go to the Developer Console. There will be a yellow notice "The SSL certificate used to load resources from ___________ will be distrusted in M70."

 

This notice appears in my Chrome 63. It should have started as far back as Chrome 59. If Chrome is telling you this, why use an additional test tool that will tell you the same thing?

 

The full BLINK-DEV history of the Chromium discussion.

Login to Me Too

tklow
New Community Member

This thread died out, but the question remains.

 

Will PayPal be upgrading their certificates, or should I be taking some other action at this point?  

 

Login to Me Too

lalunecreative
Contributor
Contributor

Also would love an answer to this. All of our sites running paypal is throwing the error in Chrome.

Login to Me Too

nzerinto
Contributor
Contributor

According to Google, the beta for M70 (which I'm guessing means version 70) will be released in Sept 2018, so basically Paypal needs to have updated their SSL by then, otherwise all our sites are going to start throwing warning signs to users. Here's hoping Paypal doesn't leave this until last minute.....

Login to Me Too

Jojo444
Contributor
Contributor

I would like a reply to this.

GoogleBlog states:

Chrome 66 has already been released to the Canary and Dev channels, meaning affected sites are already impacting users of these Chrome channels. If affected sites do not replace their certificates by March 15, 2018, Chrome Beta users will begin experiencing the failures as well. 

If you see this message in DevTools, you’ll want to replace your certificate as soon as possible. If the certificates are not replaced, users will begin seeing certificate errors on your site as early as July 20, 2018. The first Chrome 70 Beta release will be around September 13, 2018.

 

Why has this not yet been fixed?

Login to Me Too

OzWizard
Contributor
Contributor

I sent an email to Merchant Technical Services asking for general information.

Login to Me Too

c_zagarskas
Member
Member

RE:

The SSL certificate used to load resources from https://www.paypal.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

 

Came across this chain while developing with PHP and IPN for a client.

I keep getting warnings of impending doom in Google Chrome as well...

 

Thought I would chime in and point out a few places we can post about this to make sure it's on their "radar"

 

https://www.paypal-techsupport.com

https://developer.paypal.com/support/

https://stackoverflow.com/questions/ask

https://developer.paypal.com

https://www.paypal-techsupport.com/app/utils/login_form?p_next_page=ask

 

If anyone else has quick links please post.

I assume Paypal knows about the M70 SSL issue, but it's unwise to "assume" anything when it comes to dev...

 

 

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.