Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 08 Jan 2018, 15:27
abozich abozich is offline
 
Join Date: Jan 2018
Confused by this email received from PayPal

Running 4.2.5 and got an email last month from PayPal that says the following:

--



It was my understanding that 4.2.5 fixed the IPN postbacks to HTTPS issue within vBulletin. Are they saying I need to move my forum completely over to HTTPS? Was planning to do this anyway in Q1, but just curious if anyone had insight here. Thanks.
Reply With Quote
  #2  
Old 09 Jan 2018, 19:29
Stingray27 Stingray27 is offline
 
Join Date: Jan 2006
From the paypal site ;

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.
The part in bold is the https postback to paypal, that was fixed to be correct in 4.2.4 onwards.

The second part (in red) confirms that you do not need to use https on your website for the calls from paypal.


(https://www.paypal.com/en/webapps/mp...fication-https)
Reply With Quote
  #3  
Old 10 Jan 2018, 14:52
abozich abozich is offline
 
Join Date: Jan 2018
Originally Posted by Stingray27 View Post
From the paypal site ;



The part in bold is the https postback to paypal, that was fixed to be correct in 4.2.4 onwards.

The second part (in red) confirms that you do not need to use https on your website for the calls from paypal.


(https://www.paypal.com/en/webapps/mp...fication-https)
Thank you, Stingray.
Reply With Quote
  #4  
Old 29 Jan 2018, 17:15
abozich abozich is offline
 
Join Date: Jan 2018
As a follow up here, I emailed PayPal and was told that the IPN listener I use must be SSL. Does anyone know which file serves as the IPN listener for vBulletin?
Reply With Quote
  #5  
Old 29 Jan 2018, 18:14
Stingray27 Stingray27 is offline
 
Join Date: Jan 2006
Originally Posted by abozich View Post
As a follow up here, I emailed PayPal and was told that the IPN listener I use must be SSL.
Again, this is not the information on their site ;

https://www.paypal.com/in/webapps/mp...fication-https

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.
Reply With Quote
  #6  
Old 29 Jan 2018, 18:39
abozich abozich is offline
 
Join Date: Jan 2018
Originally Posted by Stingray27 View Post
Again, this is not the information on their site ;

https://www.paypal.com/in/webapps/mp...fication-https
Here's my full exchange with them:

Reply With Quote
  #7  
Old 29 Jan 2018, 19:22
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
That means that your site should run on HTTPS, or only your payment gateway script.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #8  
Old 29 Jan 2018, 19:24
abozich abozich is offline
 
Join Date: Jan 2018
Originally Posted by Dave View Post
That means that your site should run on HTTPS, or only your payment gateway script.
They just came back with this:

Reply With Quote
  #9  
Old 29 Jan 2018, 19:43
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
In that case your forum does not need HTTPS, looks like they got confused about the question.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #10  
Old 29 Jan 2018, 21:04
Stingray27 Stingray27 is offline
 
Join Date: Jan 2006
Yep, their support gave you wrong information.

Only the postback from you to paypal must be https, there isnt any requirement for your end to be https.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 06:33.

Layout Options | Width: Wide Color: