Do I need SSL on my Web Server for use with PayPal IPN?

PayPal upgrades:

1) Changes to PayPal security for HTTP/1.1 and TLS 1.2
2) IPN Verification Postback to HTTPS

PayPal say their target for these is June 2018

 

You may have seen an article from PayPal which talks about HTTP and TLS. This is a server issue
which is the responsibility of your web host. Essentially there is an upgrade by PayPal to ensure that
all their servers meet the latest standards and hence your web server will also require to operate
in that way. You should contact your host about this if you are unsure, although most servers will already
meet these standards.

 

The second update is using HTTPS for IPN verification.

PayPal says:

“If you are using PayPal’s instant Payment Notification (IPN) service, you will need to ensure
that HTTPS is used when posting the message back to PayPal for verification. HTTP PostBacks
will no longer be supported.”

“Merchants and partners use Instant Payment Notification (IPN) to receive notifications of
events related to PayPal transactions. The IPN message service requires that you acknowledge
receipt of these messages and validate them. This process includes posting the messages back
to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these
PostBacks . For increased security going forward, only HTTPS will be allowed for PostBacks to
PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal
to the merchant’s IPN listener.”

In practice this means that you need https on your web server to send https to PayPal and
then you need to change the set up of you PHP-KeyCodes, PHP-eSeller or PHP-SecureArea
application to identify the URL of the site as https rather than http.

Note: if a customer tried to make a purchase it would still succeed, but your store would
not be notified of that fact, and your records will not reflect the sale properly. Nor
will the PHP application automatically send the information to the customer by email.

Refer to PayPal documentation:

https://www.paypal.com/au/webapps/mpp/ipn-verification-https

So do I need SSL on my Web Server when using PayPal IPN? Yes, the PostBack from PayPal will not work
and SSL will give better security for your site.

Update to PayPal IPN

In Sept 2016 PayPal are changing their requirement for posting IPN messages back to PayPal for verification.

They are making the post url as https. My current versions of scripts already post to https so there should not be any change required, however, they also suggest that https://ipnpb.paypal.com/cgi-bin/webscr should be used in the future rather than https://www.paypal.com/cgi-bin/websc

Change:

https://www.paypal.com/cgi-bin/webscr

to

https://ipnpb.paypal.com/cgi-bin/webscr

PayPal upgrade to Certificate which may affect IPN based programs and scripts

There appears to be quite a bit of chat about the changes that PayPal are making to their system to allow SHA-256 during September 2015. This is to do with improving the SSL (Secure Socket Layer) security and is used over https systems.

A part of their message is:

“PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.”

PayPal IPN can be used over non SSL, that is using http – that is why many developers like it because it does not need SSL certificates on their web servers which can be expensive especially if you are a small trader. You don’t really want to have to purchase certificates if you are selling a small number of items.

So the kind of systems that are affected are those that use https and which use PayPal API to provide secure connections from your server to the PayPal server.

IPN over plain http will be supported as it currently is, so you will still be able to supply a plain http link to your IPN listener script. However if your IPN listener script is sSL/TLS enabled it will have to be SHA-256 complaint and your listening server will need to be able to accept SHA-256 certificates.

So do the changes affect the scripts on www.Withinweb.com that use IPN? Well the answer to that is NO, it does not affect the scripts at all.

PHP-eSeller, PHP-SecureArea and PHP-KeyCodes use a simple method of handshake between PayPal to verify that the transaction has taken place and hence no modifications are need to the applications.

New PHP script to register users on your site

PHP-Register is a new PHP / mySQL application that is used to easily create forms that collect data from your visitors before they are directed to a page of your choice.

The application is easy to instal on on Linux type web server or Windows web server providing it has PHP and mySQL.

In the administration pages you can create forms with each form having input boxes of text, textarea, drop down lists, checkboxes or radio buttons.  Each input may have validation allowing you to define the data that a visitor can enter.

For full details, refer to http://www.withinweb.com/phpregister/