Search code examples
phppaypalhttpspaypal-ipntls1.2

What is the difference between these 2 security requirements for Paypal IPN?

What is the difference between these 2 security requirements for Paypal IPN, to be done for 2018 June 30th?

  1. TLS 1.2 and HTTP/1.1 Upgrade

    https://www.paypal-notice.com/en/TLS-1.2-and-HTTP1.1-Upgrade/

    To ensure the security of our systems and adhere to industry best practices, PayPal is updating its services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections.

  2. IPN Verification Postback to HTTPS

    https://www.paypal-notice.com/en/IPN-Verification-Postback-to-HTTPS/

    or

    https://www.paypal.com/sg/webapps/mpp/ipn-verification-https

    The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal.

What is the difference between 1. and 2.?

Point 2. says HTTPS is required for IPN verification postback, and point 1. says also that HTTPS is mandatory (but it is not precised if it is for IPN postback or not?)

Are there 2 differents things to update in our ipn.php, or is it basically the same thing?

Note:

  • This seems to confirm it's not mandatory yet, as of June 2018, to have an HTTPS call for IPN: giving the URL http://example.com/ipn.php to Paypal (and not HTTPS) is still fine:

    At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

Solution

  • About HTTPS: HTTP is the protocol used to interact with a web service, and there are currently versions 1.0, 1.1 and 2.0. Paypal is simply stating that they are no longer supporting version 1.0, which is ancient (from 1996), and require at least version 1.1 (from 1999).

    About TLS: TLS is the encryption standard used with HTTPS, and there are currently versions 1.0, 1.1, 1.2 and 1.3. They are removing support for 1.0 and 1.1 because this is necessary to be PCI-DSS compliant (a standard for secure payments) - all payment providers are moving to TLS 1.2 this summer for that reason. It should be an almost imperceptible change, because all current browsers and libraries support TLS 1.2.

    All of this targets their actual website - https://www.paypal.com. So everything you do with that website now has these changes - if you used TLS 1.0 or 1.1, or if you used HTTP 1.0, it won't work anymore. There should not be many cases where people actually relied on TLS below 1.2 or where they specifically used HTTP 1.0, but you might want to check if you are unsure.

    The second statement just means that you cannot use HTTP without encryption for the validation of a payment anymore, which is again a call to Paypals website. What you mention as not "mandatory" for HTTPS is the call Paypal makes to your web service / website (informing you of that payment), yet the call you then make to validate it has to be HTTPS. I would recommend always using HTTPS for everything though, and then you don't have to worry.