Quantcast Paypal SHA-256 warning with cPanel and WordPress DAP? - digitalFAQ Forum
  #1  
09-13-2015, 04:04 AM
via Email or PM via Email or PM is offline
Free Member
 
Join Date: Dec 2011
Posts: 167
Thanked 0 Times in 0 Posts
I received the message below from Paypal. I'm concerned this change could interfere with my ability to process payments using some of the scripts on the server.

Quote:
PayPal service upgrades.

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Thanks for your patience as we continue to improve our services.
Initially, I contacted the developers for the two scripts (Digital Access Pass and APM). Both of them wrote back that this is something that must be handled on my server end of things.

Here is one of the responses I received from the developer, and below that you'll find the email Paypal sent with the issue I'm concerned about:

Quote:
This is really a server issue and not a script issue. First of all I don't think you are using SSL certificates. But check with your host and make sure they support certificates using the SHA-256 algorithm.

I have tested in the sandbox and the APM script is still working in the sandbox so you just need to check your host. The PayPal Sandbox servers are already using the SHA-256 algorithm certificates and the APM script still worked. I believe your host will have already updated their servers.
Is this a server issue?
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
  #2  
09-13-2015, 04:34 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,247
Thanked 354 Times in 332 Posts
Yep, I understand your concern.

Let me address everything in detail for you...

First of all, understand that both the APM developer and DAP developer are mostly full of BS. They both gave stupid responses.

When a developer feeds customers wrong (or even mostly-wrong) info, I lose respect for them. Their knowledge is suspect.

SHA-256 (part of SHA-2) is a balance between
  • browsers
  • servers
  • certificate authorities (CAs aka issuers of SSL) and their certificates
  • and the scripts/apps in use
Your server is cPanel-based, thus the server supports it, and has for quite some time now (2014). Also realize that 256 is just a SHA-2 minimum. Current cPanel 11.50.x+ server supports SHA-2's SHA-384 and SHA-512 as well.

See also: https://features.cpanel.net/topic/ge...ate-sha-1-csrs

So your server is fine.

But that's only part of the issue. Again:

1. Does the script support it?
Given the lousy response from the WordPress plugin developer, who knows? (Remember that WordPress plugins, even paid ones, are often coded by amateurs, and not companies with better/formal coding practices. The entire reason I've posted this email in the forum is to shame that developer for giving a stupid answer. I get rather tired of lazy half-wit so-called 'developers' that always give knee-jerk "It's the server's/host's fault" as a response to anything asked.)

2. Does both the SSL CA issuer -and- the SSL cert support it?
I'm not aware of any CA that does not support it. If you cert is old, simply reissue it. Note that some CAs may have certs that only carry SHA-1, and to get SHA-2, you'll have to pay for a more expensive SSL (which can be used as SSL or SNI in cPanel). I'm not up-to-date on what CAs are doing, so you may need to further scrutinize your own site certs. You can use this tool: https://www.ssllabs.com/

3. Does the person's browser support it?
If somebody is using an outdated browser, the person visiting the site is SOL. Nothing can be done. He/she must upgrade. For example, IE6 on Windows XP is a no-no.

__________

All this said, from my understand, this only applies to Paypal transactions occurring from your own domain.
If your domain transfers them over to https://www.paypal.com for the actual transaction, then there's nothing that you need to do. Paypal's scary emails seemingly went out to everybody processing a payment, and not just those using the "Pro" version of IPN.

So if not using payment on site (your own domain appears in the URL bar), then this is all non-applicable anyway.

__________

Sometimes owning a site is overly complicated for no reason.

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
Paypal limits for forum subscriptions, recurring billing admin Website and Server Troubleshooting 2 09-29-2013 01:56 PM
WordPress "Carol White" spam = scam email [warning] kpmedia Web Design + Site Planning 2 09-14-2013 11:23 AM
How to cancel Paypal subscriptions to businesses (web hosting, etc) kpmedia General Discussion 4 01-02-2012 06:20 PM
Tried to Donate Thru Paypal Link rocko General Discussion 3 06-23-2011 01:44 AM
How to cancel a Paypal subscription admin Website and Server Troubleshooting 0 07-29-2010 09:56 PM

Thread Tools



 
All times are GMT -5. The time now is 11:03 PM