Page 1 of 3 123 LastLast
Results 1 to 10 of 27
  1. #1
    Join Date
    Dec 2013
    Location
    Maine
    Posts
    77
    Plugin Contributions
    0

    Default PayPal SHA-256 Security Update Sept 2015

    I received this email and read all it offered and I apologize for my ignorance, but I have no idea what it means as far as changes to the server (I am running 1.5.1 with, at the moment, the original PayPal, not the Express). This is the email:

    As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

    This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

    You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!
    Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

    Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

    Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.



    I can't be the only one that's gotten this email so it seems I'm just the only one ignorant enough to not know what it means as far as server changes on the old 1.5.1 version of Zen Cart. Would anyone be so kind as to educate me as to what I need to do?

    Mal

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PayPal Security Update

    PayPal first started talking about this back in March, and I posted the following in response to that: PayPal upgrading SSL Certificates in 2015

    In short, Zen Cart itself is not affected at all by these changes.


    Nevertheless you may want to take this opportunity to get your hosting company to ensure they've got their server up-to-date. I posted some guidance in the above article for you to reference.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Nov 2014
    Location
    United Kingdom
    Posts
    38
    Plugin Contributions
    0

    Default Re: PayPal Security Update

    Quote Originally Posted by DrByte View Post
    PayPal first started talking about this back in March, and I posted the following in response to that: PayPal upgrading SSL Certificates in 2015

    In short, Zen Cart itself is not affected at all by these changes.


    Nevertheless you may want to take this opportunity to get your hosting company to ensure they've got their server up-to-date. I posted some guidance in the above article for you to reference.
    Appending to this thread as it is relevant.

    DrByte: the link at 2(a) for advice to your hosting company in the post you refer to above doesn't work. Seems it's some kind of privileged area.

    I am completly stuck on this security update. I switched to the sandbox and it fails with error:
    10002
    Security error
    Security header is not valid

    I have done as the post suggested i.e point out the issues to the hosting company. They have improved the grading up to "C" but no joy. I would need to moved to different server to upgrade to TLS 1.2 and improve things further. Do you that is required to make this work? Honestly, I have no idea what to say to them to help and they don't seem to know either.

    It's the blind leading the clueless, I'm afraid:) I'd really appreciate some idea on how to progress this. Thank you.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PayPal Security Update

    Quote Originally Posted by CScotty View Post
    Appending to this thread as it is relevant.

    DrByte: the link at 2(a) for advice to your hosting company in the post you refer to above doesn't work. Seems it's some kind of privileged area.
    Evidently PayPal changed the URLs to their articles. I've updated the post with them:
    https://www.paypal-knowledge.com/inf...ent&id=FAQ1766
    https://www.paypal-knowledge.com/res...20English).pdf


    Quote Originally Posted by CScotty View Post
    I am completly stuck on this security update. I switched to the sandbox and it fails with error:
    10002
    Security error
    Security header is not valid
    That's a result of using "production" credentials on the sandbox, or vice versa. The sandbox requires a different set of User/Signature/Password credentials.

    Quote Originally Posted by CScotty View Post
    I have done as the post suggested i.e point out the issues to the hosting company. They have improved the grading up to "C" but no joy.
    That's a good start. Hopefully eventually they'll take the time to dig deep enough to fix the other reported issues, as that will benefit all their customers and improve them as a host.

    In the meantime, I can't speak for anyone but I suspect this PayPal change won't adversely affect you.

    One test that might help is to use the latest curltester.php and see what results it gives back for the sandbox. The tester doesn't actually use any credentials to login so it's not a complete test, but it does confirm that an initial "handshake" sort of connection can be made, and I believe the connection will fail if the SHA certs are wrong.
    To use: Upload the curltester file to /extras/curltester.php on your own server, and then use your browser to visit that page, ie: http://your_site.com/extras/curltester.php
    (To obtain the latest curltester.php file, simply right-click the link above and choose "save as" and store it on your PC. Then upload it to your server using FTP.)
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Nov 2014
    Location
    United Kingdom
    Posts
    38
    Plugin Contributions
    0

    Default Re: PayPal Security Update

    Hi DrByte,

    Thanks for updating the link and your input on the credentials. That was indeed the problem.

    The sandbox credentials, so I thought, were incredibly hard to locate on the PayPal site so for the benefit of others here is how to do it as on 14th Sept 2015.

    Log on at https://developer.paypal.com/
    Click on Dashboard (along the top)
    Click on "Account" under Sandbox on the left
    Click the account name for which you wish to view the credentials
    Click on "Profile". After a few secs a drop down box will appear. When it does select the "API Credentials" Tab.

  6. #6
    Join Date
    Jul 2008
    Posts
    135
    Plugin Contributions
    0

    Default Re: PayPal Security Update

    Quote Originally Posted by DrByte View Post
    PayPal first started talking about this back in March, and I posted the following in response to that: PayPal upgrading SSL Certificates in 2015

    In short, Zen Cart itself is not affected at all by these changes.


    Nevertheless you may want to take this opportunity to get your hosting company to ensure they've got their server up-to-date. I posted some guidance in the above article for you to reference.

    I'm curious ... how will this affect stores that do not have SSL enabled and use paypal express (rather than the standard paypal). For example several stores use hostgator which uses a shared SSL certificate but when setting zen SSL is not enabled. When we contacted HostGator we were told shared SSL would not work and we needed to purchase a private SSL (or upgrade to business) but not sure that's true since we have SSL disabled on our stores. Just trying to be proactive and honestly I don't want to instruct people to purchase an SSL or upgrade if it is not needed.

  7. #7
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PayPal Security Update

    The server's ability to communicate securely to external services is not something "you" can fix. That's up to your hosting company. This is not handled by your domain's SSL certificate. It's handled by configuring the server to properly use OpenSSL (or equiv) to have the CURL services use secure TLS communication to talk to the likes of PayPal or other payment gateways securely. Again, it has nothing to do with whether your store is set up to use SSL when customers interact with it via their browser.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  8. #8
    Join Date
    Jul 2008
    Posts
    135
    Plugin Contributions
    0

    Default Re: PayPal Security Update

    This is why I'm confused ... I initially received this reply from HostGator:

    Hello, Thank you for contacting HostGator. We have been receiving a number of questions regarding this change by PayPal. The deprecation of SHA-1 has been occurring for some time and we have updated our servers accordingly. The most common issue we have encountered with this change is with customers that have older SSL certificates installed for their domains. In these cases, we are able to reissue these to the new SHA-256 algorithm. Our server's are updated properly for Apache and OpenSSL. You do not currently have a SSL certificate installed for your domain, so that aspect would not apply. If you do encounter any issues with interacting between your site and PayPal, please let us know and we would be more than happy to investigate further. Best Regards, Jordan B. Customer Service Manager

    Then the following day I received an update to the ticket:

    Unfortunately the Shared SSL does not supply the level of security that PayPal requires to support their new configuration. You will need to order a private SSL at https://hostgator.com/ssl and we will install it.

    I'm just trying to find out how best to advise these store owners so they experience little or no downtime. How would YOU suggest to proceed Dr Byte? I take it to mean they DO need to either purchase the SSL or upgrade their acct to the business package which includes the private ssl & dedicated IP but I want to make sure I'm not just reading their responses wrong.
    Last edited by honrheart; 20 Sep 2015 at 12:38 AM. Reason: Adding

  9. #9
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: PayPal Security Update

    Again, there are TWO aspects to SSL:

    a) SSL certificates for the domain/URL, which is used by browsers. Those might need updating/re-issuing, if old-style certificates are currently in use.

    b) SSL configuration in the back end for Apache/OpenSSL/CURL/PHP/etc.


    The post you quoted above says that "A" will be needed for any sites that have old certificates, or for sites formerly using Shared certificates. It also says that they believe they've taken care of all the stuff needed for "B".
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  10. #10
    Join Date
    Jul 2008
    Posts
    135
    Plugin Contributions
    0

    Default Re: PayPal Security Update

    Quote Originally Posted by DrByte View Post
    Again, there are TWO aspects to SSL:

    a) SSL certificates for the domain/URL, which is used by browsers. Those might need updating/re-issuing, if old-style certificates are currently in use.

    b) SSL configuration in the back end for Apache/OpenSSL/CURL/PHP/etc.


    The post you quoted above says that "A" will be needed for any sites that have old certificates, or for sites formerly using Shared certificates. It also says that they believe they've taken care of all the stuff needed for "B".
    So for those that do not have SSL enabled on there store there isn't anything they need to do? Is that correct? If they do they may need to have their certificates re-issued if it's an older one.

    I just want to give everyone correct info which is why I'm trying to clarify it for them.

 

 
Page 1 of 3 123 LastLast

Similar Threads

  1. Ajax security fix November 2015
    By brittainmark in forum Bug Reports
    Replies: 9
    Last Post: 13 May 2016, 04:50 AM
  2. Replies: 44
    Last Post: 16 Mar 2016, 04:29 PM
  3. v150 Paypal's new SHA-256 certificate
    By BryanKollar in forum PayPal Express Checkout support
    Replies: 1
    Last Post: 11 Sep 2015, 03:38 AM
  4. USPS update Sept 7
    By svetlae in forum Built-in Shipping and Payment Modules
    Replies: 2
    Last Post: 2 Sep 2014, 04:18 PM
  5. Replies: 2
    Last Post: 31 Dec 2009, 04:42 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR