Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PayPal IPN :: SSL now required? #914

Closed
jaswrks opened this issue Mar 24, 2016 · 13 comments
Closed

PayPal IPN :: SSL now required? #914

jaswrks opened this issue Mar 24, 2016 · 13 comments
Assignees

Comments

@jaswrks
Copy link
Contributor

@jaswrks jaswrks commented Mar 24, 2016

It seems that PayPal is now forcing all site owners to use an https:// URL when configuring their IPN listener. We were never warned about this change, so it's not clear if this is a glitch in their system, or if it's a new policy that will be enforced moving forward.

Also, it's not clear (yet), if this is going to have an impact on PayPal merchants who have already configured an IPN URL that uses plain http:// or not.

2016-03-24_01-16-48

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Mar 24, 2016

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Mar 24, 2016

Referencing PayPal MTS ticket ID: 160324-000049
https://www.paypal-techsupport.com/app/account/questions/detail/i_id/1234126

@jaswsinc writes...

Was there a change recently that now requires all IPN URLs to be configured with an https:// URL? If so, that's a pretty big deal, as not all merchants I build software for are running an https:// site that can host an IPN listener over https://

If that is in fact the case (which is what it looks like, because we are getting an error when trying to enter a plain http:// link for the IPN URL), then my next question is this:

Does this have any impact on PayPal merchants who have already configured an IPN URL that is not over https://? Or will that still be supported; i.e., is this only enforced for new IPN URLs that are being configured for the first time, or will old IPN URLs start being ignored if they are using an https:// URL?

What about PayPal buttons that use notify_url=. Is https:// required there too?

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Mar 24, 2016

Props @codeforest for reporting.

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Mar 24, 2016

PayPal's response...

Hello Jason,

Thank you for contacting PayPal Merchant Technical Support. I am happy to assist with your question. PayPal is making changes to how IPNs must be submitted, the changes will be completed for live endpoints in September 2016. Please see the link below for more details.

https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1916&expand=true&locale=en_US

In anticipation of the upcoming changes, the PayPal profile settings now requires the IPN URL be https, not just http. If the above communication requirements are met, existing IPN URLs that were set previously with http will be allowed, for the time being. We will also allow the use of http in the 'notify_url' variable. We do not have a date for when we will disallow the use of http all together for IPN.

Please let me know if you have further questions or if the issue has been resolved so I can close your support ticket appropriately.

Sincerely,
Erin
Merchant Technical Support
PayPal

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Mar 24, 2016

So it looks like this will only impact new s2Member users who try to configure an IPN URL. We will need to update s2Member in ways that bring this to a merchant's attention, and this will now require that any site integrating with PayPal be capable of supporting https:// moving forward.

@codeforest
Copy link

@codeforest codeforest commented Mar 25, 2016

@jaswsinc so Live accounts will have this requirement by September? Or is it already in place?

I really understand this move by PayPal, but am afraid that plenty of people will just bug our support and create a big mess of it. As always, we will take the blame, not PayPal :(

We will need to educate people to install SSL certificate on their sites asap... and use Let's encrypt project or similar to lower the costs of transition for them

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Mar 25, 2016

It is already in place so far as I can tell. My live PayPal requires an https:// URL.


My interpretation is that they are basically saying...

We decided to enforce this now for any new IPN URL that is entered into a live PayPal account. That's already been implemented; i.e., any new IPN URL that you try to configure must be an https:// URL.

Starting Sept. 2016, we will (probably) decide to enforce this across-the-board; i.e., any http:// IPN URL may begin to fail around Sept. 2016.


Based on the article they referenced and answers that I got, it doesn't seem like they are ready to commit to this change just yet, but it does sound like they are seriously considering it; i.e., perhaps waiting to see how loudly people scream about this https:// requirement first.

What they have already done, is that they are now requiring any new IPN URL to be entered as an https:// URL. However, the notify_url= parameter in standard PayPal buttons should continue to work with http://, and any existing configurations out there that still use an http:// URL should continue to work also, based on the answers I was given.

@theJoleneU
Copy link

@theJoleneU theJoleneU commented Apr 5, 2016

I'm new to s2member and feverishly trying to figure it all out in order to offer a product for sale next month. I noticed Paypal requiring https for IPN and since I'm not all set up yet, I'm unable to provide this to them. What is required on my end to have the security layer? I'm not techy, just trying to soak in all this technical stuff with super amazing training videos offered by Jason. So thank you very much for those!

@raamdev
Copy link
Contributor

@raamdev raamdev commented Apr 5, 2016

@theJoleneU The only way to get HTTPS working on your site is to purchase and install an SSL Certificate. You can get one pretty cheap from CheapSSLSecurity.com (I recommend the Comodo certificates). Then you'll need to install it. Unfortunately how to install an SSL certificate differs from web host to web host, so you'll need to talk to your web hosting company to get that sorted out. In fact, you might want to talk to them before purchasing a certificate, as you might be able to purchase one through them, which will probably make the whole process a lot easier.

@jaswrks jaswrks self-assigned this Apr 15, 2016
@jaswrks jaswrks added this to the Next Release milestone Apr 15, 2016
jaswrks pushed a commit that referenced this issue Apr 15, 2016
jaswrks pushed a commit that referenced this issue Apr 15, 2016
@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Apr 15, 2016

Next Release Changelog:

  • (s2Member/s2Member Pro) PayPal SSL Compatibility: This release of s2Member provides an https:// IPN URL for PayPal IPN integrations. It also provides a helpful note (in the Dashboard) about a new requirement that PayPal has with respect to the IPN URL that you configure at PayPal.com. s2Member has been updated to help you with this new requirement.

    New PayPal.com IPN Requirement: PayPal.com is now requiring any new IPN URL that you configure to be entered as an https:// URL; i.e., if you log into your PayPal.com account and try to configure a brand new IPN URL, that URL must use https://. PayPal.com will refuse it otherwise.

    However, the notify_url= parameter in standard PayPal buttons should continue to work with either http:// or https://, and any existing configurations out there that still use an http:// IPN URL should continue to work as well. So this is about planning for the future. We have been told that PayPal will eventually require that all IPN URLs use an https:// protocol; i.e., they will eventually stop supporting http:// IPN URLs altogether (at some point in the future), they are not giving anyone a date yet. For this reason we strongly suggest that you review the details given here.

    Since PayPal is moving in a direction that will eventually require all site owners to have an SSL certificate in the future, s2Member's instructions (and the IPN URL it provides you with) will now be presented in the form of an https:// URL with additional details to help you through the process of configuring an IPN handler for PayPal.

    See: Dashboard → s2Member → PayPal Options → PayPal IPN Integration

    Props @codeforest for reporting. See this GitHub issue for further details.

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Apr 15, 2016

Screenshot of note about the SSL IPN URL provided by the s2Member software.

2016-04-14_19-49-36


As a part of the work in this issue, s2Member's IPN URL will now also produce a simple text message if you try to visit the IPN URL directly in a web browser without any $_POST vars. This is better than just a default blank screen whenever a site owner tests the URL to see if it works.

Note that an IPN URL is really for behind-the-scenes communication, so it is not expected to produce anything meaningful if you visit the URL in a browser. However, if you do happen to try that, the message that you get from the IPN URL is now slightly more convincing.

2016-04-14_19-49-13

@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Apr 15, 2016

Since this new requirement from PayPal.com may eventually have an impact on standard PayPal Buttons that use the notify_url= or return= parameters (which s2Member does implement), I am also adding two new WordPress Filters:

  • ws_plugin__s2member_during_sc_paypal_button_force_notify_url_scheme
  • ws_plugin__s2member_during_sc_paypal_button_force_return_url_scheme

Example use:

<?php
add_filter('ws_plugin__s2member_during_sc_paypal_button_force_notify_url_scheme', function() {
  return 'https';
});
add_filter('ws_plugin__s2member_during_sc_paypal_button_force_return_url_scheme', function() {
  return 'https';
});

Without these filters, the default behavior is for s2Member to use the protocol/scheme of the page where the PayPal Buttons are displayed. So that's another way to control the scheme used in these URLs without needing to implement the filters above; i.e., if you want SSL for those URLs, simply display the buttons on a page that is served on the https:// protocol and you're good (i.e., you don't need the filters). HTTPS Everywhere™ is a growing trend. This may eventually become necessary. For now though, PayPal has said that notify_url= and return= can be http:// or https:// (either is fine).

The filters shown above are simply there to help site owners transition from http:// to https:// in certain special cases that might require the filters to be used in order to achieve a specific goal; e.g., to use https:// in both URLs, even if your PayPal Buttons are not presented on a page that is served over https:// already; and that would only be necessary if PayPal does get more strict in the future.

@jaswrks jaswrks closed this Apr 15, 2016
@jaswrks
Copy link
Contributor Author

@jaswrks jaswrks commented Apr 23, 2016

s2Member & s2Member Pro v160423 have been released and they include changes from this GitHub Issue. See the v160423 announcement for further details.


This issue will now be locked to further updates. If you have something to add related to this GitHub Issue, please open a new GitHub Issue and reference this one. Thanks! :-)

@wpsharks wpsharks locked and limited conversation to collaborators Apr 23, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.