PayPal Email about SSL upgrade?

[opwdecks]

Is there anything that we need to do as far a VM and PayPal. It is confusing to me. Here is the email that was sent:

ACTION MAY BE REQUIRED: PayPal service upgrades for merchants.

Because we support our merchants in helping them grow their business, we continue to make significant investments and improvements to our infrastructure. These improvements sometimes require us to perform necessary service upgrades.

Please read below as we explain what the change is, and what action may be required by you.*

What's happening?

Over the course of 2015 and 2016, PayPal will be working towards upgrading various SSL certificates. The changes include upgrading the following:

The version of the VeriSign Trusted Root Certificate used to establish secure connections to PayPal.
The signing algorithm of certificates (from SHA-1 to SHA-256).
Why is this happening?

We're taking measures to address industry-wide security concerns which aren't unique to PayPal. When implemented, these measures can help us improve the security and reliability of our PayPal integrations and help guard against current and future security threats.

When is this happening?

We've published the schedule of our service upgrade plan. Please check our 2015-2016 SSL Certificate Change microsite for the most recent updates as published schedules may change. Our efforts to upgrade SSL certificates for our production endpoints are scheduled to start in May 2015, and will continue into next year.

Please note – The Sandbox environment is ready for testing. Testing in the Sandbox environment is one of the best ways to make sure your integration works.

What do I need to do?

For information regarding the important details of these upgrades, how it may impact your integration, and what you must do to future-proof your integration, please refer to the Merchant Security System Upgrade Guide on the microsite.

*Please note – If you're impacted by this upgrade, you may be required to implement these changes prior to the dates listed on the microsite. Otherwise, you may not be able to process payments through your current integration with PayPal. In addition, if you're integrated with a third party, please check with them on any additional steps you may need to take.

Questions can be directed to our Merchant Technical Services team on our Technical Support website. Click here for more information.

Thanks for your patience as we continue to improve our services.

[wazowski]

I'm concerned about this matter too. Anyone know what this mean?

[cstreit]

Bumping this again... Do we need to worry about this?  Very concerned about the paypal plugin not working once this is instituted.

Anyone care to comment?

[fkn]

Hi,
I'm also concerned about this issue and would be grateful to get an answer to cstreit's question asap.

have a good day

[Sale Gosse]

Got this mail to.
What sould i do?
WM 3.0.9 under joomla 3.4.4
Wait and see?

Thanks

[volksman3]

Anyone??? Will Virtuemart continue to work with paypal with no issue after this upgrade, i have allot of our customer asking this but this does not seam to have been answered?

[jjk]

Rule #1: Don't panic

The PayPal email is confusing and there is a lot of speculation about what it means in other shopping cart forums, too.
I'm no expert concerning this stuff either, so if an expert is reading this and thinks something of the following is wrong, please correct me.

So what is PayPal talking of?
If you rent web-space or a server, the hosting company normally has an ssl certificate installed on the server. A few of them still might have SHA-1 (1024-bit (G2)) certificates installed, which were found to be insecure earlier this year. Meanwhile the vast majority is using SHA-2 (256)/(2048-bit (G5)) certificates. Now PayPal wants to get rid of the SHA-1 certificates. So in the future, when the server where your website is hosted communicates with PayPal, both sides should use SHA-2.

So if the server hosting your website has installed an SHA-1 certificate only, the Instant Payment Notification for example and/or other transactions probably will fail and you would find an error message from PayPal in your PayPal error log. (Note: You don't have to enable IPN if you use the VirtueMart PayPal plugin).

The PayPal email is also misleading. because the PayPal guys seem to think that all certificates are issued by VeriSign. Of course there are many other companies supplying certificates. I'm using one from startssl.com for example. If you are using SSL with your shop, you might check if you already have an SHA-2 certificate installed and eventually update it.

One method to check if your server has an SHA-2 certificate installed is to use your browser. In Firefox go to 'Options' > 'Advanced' > 'View Certificates' and search for the certificate from your hosting company. Select it and click 'View Certificate'. If you see an SHA-2 (256) fingerprint, you should be ok (if I understand the PayPal email correctly).

Additional comments and clarifications are welcome.

[GJC Web Design]

I would also add to above in saying as far as I know this will not affect anyone NOT using SSL or a secure connection in your Paypal transactions.

So for example if you use the Std. paypal where you are directed to the Paypal site and the transaction is conducted there then IMHO this email from paypal has nothing to do with you.
This also includes the notification back to your site from paypal to VM to confirm and update the order as this also is not using SSL.

This is perhaps different if you have chosen to make your site fully https.. in this case the notice will be returned over https and you should check your encryption standard for YOUR certificate.

[JoanHall]

I found this website: https://www.sha2sslchecker.com/

Does checking my website and my host on this site give me the information I'm looking for?

[GJC Web Design]

I would think so yes...  are u using https to communicate with Paypal?

[cstreit]

This is whats frustrating.  I'm not a developer... 

..and Virtuemart provides a paypal plugin.  I guess the question is - If we are up-to-date and Paypal turns this on, whats going to happen?

If this requires server changes - what do I tell my hosting company?

[GJC Web Design]

1. this has nothing to do with VM..
2. this is about the type of certificate encryption .. not a shopping cart or payment plugin issue
3. Paypal should be ashamed to send out millions of these emails without a proper explanation of what they are talking about that any layman can understand
4. jjk and myself have tried to explain with the same limited info you have access to
5. even if Paypal are demanding everyone shift to ssl ( and I can't believe this is the case) and have a SHA-2 cert it is still nothing to do with VM - this is the type of encryt. YOUR or your servers security cert has.
VM has always supported ssl to Paypal but it has nothing to do with the type of encryt. YOUR (if u have and use one) certificate uses
6. @cstreit - no where do u mention if you are using https or the type of paypal method

see further comments above re whether you even need to bother with this or not

[cstreit]

Thanks.  Yes we use SSL and have implemented the paypal payments pro.  As such our website collects and transmits the cc info to paypal for backend gateway processing.

So if I read you correctly... This is strictly a server side issue.  How do I know if my server is compliant?

Appreciate you trying to explain - but this is not easy to understand without a grounding in SSL.

[GJC Web Design]

doesn't this tell you?  ->  https://www.sha2sslchecker.com/

[cstreit]

Was not aware of that site.

Well it says "sha256WithRSAEncryption" which I presume means I am golden?