Paypal security update?

seanie_morris

UPDATE: For PayPal users in Ireland (and I am assuming the UK too) must upgrade their account to a PayPal Business Account (must be a recent thing) in order to get the Website Payment preferences, IPN and PDT settings.

Seanie.

seanie_morris

Following up on my own query in this thread, I am finding out that my problem might be the fact that I am in Ireland. It's funny, all the settings in the Payment Methods section of Bakery were there, down to the letter, in my PayPal account months ago, and then they are gone. If I can add more details of this (for Irish users at least), I will post back some more.

Seanie.

seanie_morris

No, even getting IPN and PDT settings are changed in PayPal. From what I have read, it looks like PayPal want one to use more button functions than 3rd party implementations. But this sounds strange, and looking back on the Bakery forum here, it doesn't look like this has popped up as an issue to other WB users... that's why, with my stoopid hat on, I am wondering if I am missing something! :)

freeSbee

Seanie, are you talking about the PayPal settings Return URL and the Notification URL?
Both of them you have to enter in the dashboard of your PayPal account. Maybe places have changed since dashboards change all the time to improve usability  :-)  but both of them are still needed!

Regards Christoph

seanie_morris

Thanks for the speedy reply Christoph.

I am aware of the changes (only since visiting this forum, and not from PayPal!), what I don't know is how to get around the existing set of instructions under Bakery's Payment Methods for PayPal, which are now non-functional since PayPal has changed. My own PayPal dashboard has changed drastically, and while I get explanations on PayPal about PDTs, IPNs and so on, there is no (obvious) way to get to those settings. My PayPal account is under no restrictions, and the last time I set up a cart with Bakery was back in September. All these instructions for Website Payment Preferences and so on, seem to relate to developer options, found at: https://developer.paypal.com/

Am I missing something, or has anyone found a way to get around this?

Seanie.

freeSbee

Hi Seanie

Version Bakery 1.7.1 (11/27/2014) See version history:
Due to the POODLE SSL 3.0 vulnerability updated PayPal IPN using cURL library to comply with TLS protocol since PayPal discontinued support for SSL 3.0 support on december 3, 2014.

Regards Christoph

seanie_morris

Quote from: freeSbee on November 26, 2014, 09:27:34 PM
PayPal will completely disable SSL 3.0 support on December 3, 2014. This may cause compatibility problems for Bakery shops resulting in the inability to pay with PayPal.

Bakery uses PayPal PDT (Payment Data Transfer) and IPN (Instant Payment Notification) to verify PayPal transactions. Only PDT is ready to use the TLS protocol.

Next version of Bakery - which is almost ready - will be using TLS instead of SSLv3 protocol for both PDT and IPN.

Hi,

I need clarification on something about this: The existing version of Bakery (1.72) still uses the instructions based on the PayPal PDT settings. These have changed in PayPal, so what is the course of action here?
Quote
Website Payment Preferences
Log in to your PayPal account: Go to "My Account" > "Profile" > "My selling tools" > "Website preferences".

Seanie.

freeSbee

Hi Ruud

Thank you for the hint.

It is too bad that the guys from PHP Solutions did not update their iDEAL Checkout plug-in for Bakery. After releasing v1.7.0 I advised them of Bakerys new checkout flow but never got any reaction.

I think it should be possible to make a patch for Bakery v1.6.0 by adapting the files of v1.7.1:

  • bakery/payment_methods/paypal/check_payment.php
  • bakery/payment_methods/paypal/ipn.php

Regards Christoph

Ruud

There are many webshops out there running bakery < 1.70

Would it be possible to create an upgraded PayPal version for those too?
All Most NL webshops will have somekind of iDeal plugin installed that - due to the checkout flow - will  not run with the current Bakery versions, so they will probably still be using 1.6.x versions.

These older versions do not use SSL at all for IPN and PDT, so it is a bit unclear to me if they will keep on working after D-day.
[url=https://dev4me.com/modules-snippets/]Dev4me - WebsiteBaker modules[/url] - [url=https://wbhelp.org/]WBhelp.org[/url]

freeSbee

POODLE SSL 3.0 Vulnerability

POODLE is an internet security vulnerability that impacts the Secure Sockets Layer (SSL) 3.0 protocol that was a widespread but 15-year-old security protocol. When exploited, this vulnerability enables cyber criminals to gain access to connections.

PayPal will completely disable SSL 3.0 support on December 3, 2014. This may cause compatibility problems for Bakery shops resulting in the inability to pay with PayPal.

Bakery uses PayPal PDT (Payment Data Transfer) and IPN (Instant Payment Notification) to verify PayPal transactions. Only PDT is ready to use the TLS protocol.

Therefore if a customer does not wait to be redirected back to the webshop upon payment completion (eg. closes the browser window), your Bakery shop will not be notified about the order. In this case IPN should make the notification in the background directly to the Bakery software.

Next version of Bakery - which is almost ready - will be using TLS instead of SSLv3 protocol for both PDT and IPN.

Regards Christoph


N1kko

My Tools: MacBook Pro Retina, Coda2, Sketch 3... Couldn't live without them

freeSbee

Hi N1kko

Could you provide some more information on this? A link to the PayPal announcement would be very helpful.

Thanks and regards
Christoph

N1kko

Not sure if people are aware but paypal are having a security update early December and I see prestashop are having to update along with this. will bakery need a paypal update?
My Tools: MacBook Pro Retina, Coda2, Sketch 3... Couldn't live without them