PayPal IPN now requires SHA-256 compliant server & certificate upgrades


#1

It looks like anyone who uses PayPal IPN (and that’s a LOT of people) received a cryptic technical email from PayPal yesterday (no, after checking it’s not spam or malware) which I reproduce below:


Subject: IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades.
PayPal service upgrades.

As we have previously communicated to you, PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year. If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Full technical details can be found in our https://www.paypal-knowledge.com/resources/sites/PAYPAL/content/live/FAQ/1000/FAQ1766/en_US/2015%20Merchant%20Security%20System%20Upgrade%20Guide%20(U.S.%20English).pdfMerchant Security System Upgrade Guide. In addition, our https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Thanks for your patience as we continue to improve our services.

My IPN service solution says that my website host—that would be DreamHost—needs to

“verify that the server that your website is hosted on is a SHA-256 compliant server and they’ve upgraded to a G5 Root Certificate”

So, naturally, I’m asking to be reassured that DreamHost has done this and everything will still work after this PayPal upgrade.


#2

I am also asking but I trust Dreamhost and it should be ok ? Thank you.


#3

It looks like we are going to be OK with the SHA256.

I was testing a WooCommerce site to ensure it was compatible and WooCommerce has a plugin to test if the server can handle the new encryption. Our server passed.

While not a guarantee, it looks promising. It would be nice for Dreamhost to have an announcement that they are ready.

You can read more about it here, http://docs.woothemes.com/document/paypal-update-for-sha-256/


#4

I have also gotten this email and have done a LOT of searching on Dreamhost’s control panel, wiki, etc. and can find ZERO references to SHA-2! One would think that an industry wide requirement issue would be addressed by Dreamhost expediently rather than the apparent 11th hour.

I have been a Dreamhost customer for almost 20 years and although I trust them, my customers will be calling ME, not Dreamhost if things stop working.

Also, when I went to https://www.ssllabs.com/ssltest/ to test my compliance (I am on a VPS), my site passed, but only with a “C”! Some of the problems encountered were as follows:
[list]
[]This server supports weak DiffieHellman (DH) key exchange parameters. Grade capped to B.
[
]The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
[*]The server does not support Forward Secrecy with the reference browsers.
[/list]

As I see it, the lack of support for TLS 1.2 is a huge red flag!

So yeah,… i would like some reassurances from Dreamhost!


#5

#6

I finally submitted a Dreamhost support request, since we have not received an official response on this thread. After a few messages, here’s what I got from support:

“Yes, dreamhost’s ssl certs are the latest, SHA-256, and G5 compliant and 2048bit encryption. You can see further proof here:
https://www.sha2sslchecker.com/webmail.dreamhost.com

So, hopefully, we are all set.