Jump to content


PayPal's Digital Certificate

  • This topic is locked This topic is locked
2 replies to this topic

#1 seagoing



  • Members
  • Pip
  • 3 posts

Posted 07 August 2003 - 06:45 AM

The PayPal IPN Manual states, under Notification Validation...

...To be 100% certain of the authenticity of this transaction, your code should verify PayPal's certificate using Verisign's public key.

As my code to handle IPN will be ASP, how is this done?


#2 seagoing



  • Members
  • Pip
  • 3 posts

Posted 07 August 2003 - 02:15 PM

OK Shannon, That's a great answer, I do nothing, couldn't be easier!!

#3 atang00



  • Members
  • Pip
  • 6 posts

Posted 18 April 2004 - 06:12 AM

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by Shannon
[br]Nobody knows the answer to this one. No info at Verisign either. You don't really need to confirm.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

Shannon, I understand that your fustrated because theres no support on how to actually verify Paypal's Digital certificiate.

But since you don't know how to or you can't find out how to, you should'nt really be saying "You don't really need to confirm"

If lets say your site was a big big important site and security is a MUST, then you do need to confirm. Basically having a certificate, in this case, Paypal has a certificate insures that "THIS INFO BEING PROCESSED IS FROM https://www.paypal.com" That said, there is obviously a security hole. The question is, do you know what that security hole actually is? Note that Paypal IPN manual/docs state for MAXIMUM security you should check the verify certificate.

Basically the security hole if you don't verify the certificate is someone can replicate all the process info required to give you a "VERIFIED" status. Meaning any smart hacker can generate the same HTML form from your purchase info page and send it back to a server of there own that replicates the exact things needed for it to send a "Verified" value. Therefore, the smart hacker can purchase your items for free, leaving you to think that the transaction is acutally completed.

For issues on how to do this it varies depending on your language your using and your server your script is on. It's actually a complicated task also, therefore you see this Paypal Support team over here being clueless on this topic to actually give information about how to do so.

I'm a Perl programmer, and anyone using the IPN script with Perl, then I suggest you look into the NET::SSLeay module. They have a function where it verifies a cert's validation. Good luck :)

Thank you,

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users