<< Home

Connection to PayPal is https???

Use this forum for issues related to TriniTronic's Nice PayPal Downloads Extension.

Connection to PayPal is https???

Postby nolik » Sat Nov 19, 2011 9:47 am

I’d like to find out the level of security connection to PayPal servers.

1. Is it https protocol?
2. Is it possible for hackers to substitute ID of my PayPal account with they PayPal ID, so my customers will pay to a different PayPal account?

I appreciate your comments.
Thanks.
nolik
Stratos
Stratos
 
Posts: 18
Joined: Sat Nov 19, 2011 9:35 am

Re: Connection to PayPal is https???

Postby Michael » Sat Nov 19, 2011 11:00 am

HI,

Thanks for the inquiry. I appreciate it.

1. Is it https protocol?

All monetary transactions take place on PayPal's secure checkout server. So, there is no need to worry about https or an SSL Certificate. PayPal takes care of all the security for you.

2. Is it possible for hackers to substitute ID of my PayPal account with they PayPal ID, so my customers will pay to a different PayPal account?

This is not possible unless a hacker gains administrative access to your Joomla website. In which case, you have much bigger problems to worry about, like regaining control of your Joomla website. I have never heard of something like this happening. The best defense is to use a strong username and password for your Joomla administrative page.

~ Best regards
Share the love, please post your positive review in the Joomla Extensions Directory, or the Wordpress Plugin Directory. It's greatly appreciated!
User avatar
Michael
Cosmos
Cosmos
 
Posts: 3249
Joined: Thu Aug 14, 2008 12:30 am

Re: Connection to PayPal is https???

Postby nolik » Sat Nov 19, 2011 1:26 pm

Michael wrote:1. Is it https protocol?
All monetary transactions take place on PayPal's secure checkout server. So, there is no need to worry about https or an SSL Certificate. PayPal takes care of all the security for you.



Thank you for the comment. It helped a lot. I appreciate if you clear the last point for me:

I checked html code of PayPal buttons available from PayPal directly. It use https addresses.

1. If I installed “Nice PayPal Downloads Extension”, then PayPal button still use https address? If not, can I correct HTML code to https?

I’m opinionated, sorry for that.
Thanks
nolik
Stratos
Stratos
 
Posts: 18
Joined: Sat Nov 19, 2011 9:35 am

Re: Connection to PayPal is https???

Postby Michael » Sat Nov 19, 2011 6:22 pm

Hi,

Yes, the extension creates buttons that send the buyer to this URL https://www.paypal.com/cgi-bin/webscr. You will see that the URL is indeed a https based URL. So, the buyer's transaction will be secure.

~ All the best
Share the love, please post your positive review in the Joomla Extensions Directory, or the Wordpress Plugin Directory. It's greatly appreciated!
User avatar
Michael
Cosmos
Cosmos
 
Posts: 3249
Joined: Thu Aug 14, 2008 12:30 am

Re: Connection to PayPal is https???

Postby nolik » Sat Nov 19, 2011 7:17 pm

Well Michael,
I just purchased and installed “Nice PayPal Downloads”.
I did everything by the book.

Now I got this message from PayPal:
Image

What is wrong?
Thanks for the support.
nolik
Stratos
Stratos
 
Posts: 18
Joined: Sat Nov 19, 2011 9:35 am

Re: Connection to PayPal is https???

Postby nolik » Sat Nov 19, 2011 7:50 pm

I’ve studied PayPal documentation and discovered that I have to encrypt buttons I use on my website by myself. They commented that original PayPal buttons already encrypted:
https://www.paypal.com/us/cgi-bin/websc ... /ewp-intro

But if I use my custom buttons, then I have to download a certificate and encrypt my buttons. Then I got link to a developers corner:
https://cms.paypal.com/us/cgi-bin/marke ... nload_sdks

Thus, is there a chance to send ENCRYPTED data from my site (Nice PayPal Download Button) to PayPal site?
Thanks
nolik
Stratos
Stratos
 
Posts: 18
Joined: Sat Nov 19, 2011 9:35 am

Re: Connection to PayPal is https???

Postby Michael » Sat Nov 19, 2011 10:48 pm

Hi nolik,

This is not a problem. There is a setting in your PayPal account that you need to change to disable the error message. Follow the steps below.

1. Log in to your PayPal account
2. Go to Profile>>My selling tools
3. Find "Website preferences" and click the "Update" link
4. On the Website Payment Preferences page find the section for Encrypted Website Payments
5. Select Off for the "Block Non-encrypted Website Payments" setting
6. Click the Save button at the bottom of the page
7. Done!

After you have changed your settings, encrypted payments will still work, but they will not be required.

Let me know if you need additional assistance.

~ Best regards
Share the love, please post your positive review in the Joomla Extensions Directory, or the Wordpress Plugin Directory. It's greatly appreciated!
User avatar
Michael
Cosmos
Cosmos
 
Posts: 3249
Joined: Thu Aug 14, 2008 12:30 am

Re: Connection to PayPal is https???

Postby nolik » Sun Nov 20, 2011 5:20 am

Michael wrote:Hi nolik,
Let me know if you need additional assistance.
~ Best regards


Michael, Thank you for support.
I solved the issue by lowering security settings as you mentioned.

I appreciate your comments on:
1. The encryption of PayPal.Button on my side does not exist. So, as far as I understand it, the data from my site to PayPal site goes opened without encryption?
2. As far as PayPal.Button does not encrypted, how it could affect the security of transaction in general?
3. Which folders involved in “Nice PayPal Downloads” activity I have to secure with server based security methods (password, IP or smth.) in order to prevent PayPal e-mail login substitution?

Thank you for the support.
Ilya.
nolik
Stratos
Stratos
 
Posts: 18
Joined: Sat Nov 19, 2011 9:35 am

Re: Connection to PayPal is https???

Postby Michael » Sun Nov 20, 2011 12:35 pm

Hi Ilya,

It is interesting to see someone so concerned about security. PayPal has a pretty good system and most folks don't give it a second thought. One vote of confidence for the Nice PayPal Downloads security is that I have been using it on my site for the over two years or so. I have not had any security issues to my knowledge.

1. The encryption of PayPal.Button on my side does not exist. So, as far as I understand it, the data from my site to PayPal site goes opened without encryption?
2. As far as PayPal.Button does not encrypted, how it could affect the security of transaction in general?


The Nice PayPal Downloads does not generate encrypted buttons. It uses the PayPal Standard HTML method for generating its buttons. This method has been used by PayPal for many years without to many problems. The one issue with this method is that all of the purchase information is available to the site visitor in the HTML code. For example here is the button form code for the Nice PayPal Button plugin on my site.

Code: Select all
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
  <input type="hidden" name="cmd" value="_xclick"> 
  <input type="hidden" name="business" value="xxxxx@trinitronic.com"> 
  <input type="hidden" name="item_name" value="Nice PayPal Button Plugin"> 
  <input type="hidden" name="item_number" value="3">
  <input type="hidden" name="quantity" value="1">
  <input type="hidden" name="amount" value="15.00">
  <input type="hidden" name="tax" value="0">
  <input type="hidden" name="shipping" value="0">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="lc" value="US">
  <input type="hidden" name="return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="cancel_return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="notify_url" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx"> 
  <input type="image" border="0" name="submit" src="http://trinitronic.com/images/btn-buynow.png" alt="PayPal - The safer, easier way to pay online">
</form>


As you can see all of the purchase information is available. Criminal minded individuals could use this information to try and illicitly purchase one of your download files for less than the sales price. One method a criminal might do this is to copy the button code to a new page on a server or web space that the criminal controls. Then the hacker simply replaces the purchase price value in the code. They can then click the buy button on their site and purchase the item for their price.

Example of tampered button code.
Code: Select all
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
  <input type="hidden" name="cmd" value="_xclick"> 
  <input type="hidden" name="business" value="xxxxx@trinitronic.com"> 
  <input type="hidden" name="item_name" value="Nice PayPal Button Plugin"> 
  <input type="hidden" name="item_number" value="3">
  <input type="hidden" name="quantity" value="1">
  <input type="hidden" name="amount" value="0.01">
  <input type="hidden" name="tax" value="0">
  <input type="hidden" name="shipping" value="0">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="lc" value="US">
  <input type="hidden" name="return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="cancel_return" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxxx">   
  <input type="hidden" name="notify_url" value="http://trinitronic.com/index.php?option=com_nicepaypaldownloadsxxxxx"> 
  <input type="image" border="0" name="submit" src="http://trinitronic.com/images/btn-buynow.png" alt="PayPal - The safer, easier way to pay online">
</form>


The example above shows how I changed the "amount" field to equal 0.01. This is well below the $15 sale price of my item. All I would have to do is publish the above altered form code to a web space and click the button, I could then make a purchase of the Nice PayPal Button plugin for $0.01. This strategy has outwitted many a web master's security efforts. And is the primary reason (in my opinion) that PayPal offers encrypted buttons now.

However, the design of the Nice PayPal Downloads takes the above security issue into account. When PayPal sends the IPN message to the Nice PayPal Downloads extension (NPD), the extension validates the purchase information against it's own records in the Joomla Database. If the IPN message says that the buyer purchased the Nice PayPal Button plugin for 0.01, then the purchase amount would not match the listing price of $15 in my website's database. The IPN message would be rejected as fraudulent. And the would-be fraudster would not receive a download link from my site.

This actually happened to me several weeks ago. Multiple transaction attempts from the same buyer came in for $0.01. I could see their purchases in my PayPal history, but there were no records of this in the Nice PayPal Downloads Transactions history. So, the illicit buyer was not able to obtain anything from my site.

If you are still very concerned about encrypted buttons, then you can generate encrypted buttons on PayPal and use them on your site instead of the extension's payment buttons. You just need to make sure that all of the information in the encrypted button record on PayPal matches the information in the Nice PayPal Downloads Item record. Otherwise, any payments made with the encrypted buttons will be rejected as fraudulent.

3. Which folders involved in “Nice PayPal Downloads” activity I have to secure with server based security methods (password, IP or smth.) in order to prevent PayPal e-mail login substitution?


The only folder you should have to secure is the Download File folder. This is to prevent direct access to the folder that contains the files you are selling. Please see the documentation here http://trinitronic.com/index.php/Downlo ... ecurefiles

~ Best regards
Share the love, please post your positive review in the Joomla Extensions Directory, or the Wordpress Plugin Directory. It's greatly appreciated!
User avatar
Michael
Cosmos
Cosmos
 
Posts: 3249
Joined: Thu Aug 14, 2008 12:30 am

Re: Connection to PayPal is https???

Postby nolik » Sun Nov 20, 2011 1:22 pm

Well Mike,
I’m impressed! Thank you very much. It is clear for me now.
nolik
Stratos
Stratos
 
Posts: 18
Joined: Sat Nov 19, 2011 9:35 am

Re: Connection to PayPal is https???

Postby Michael » Sun Nov 20, 2011 1:36 pm

You are welcome!
Share the love, please post your positive review in the Joomla Extensions Directory, or the Wordpress Plugin Directory. It's greatly appreciated!
User avatar
Michael
Cosmos
Cosmos
 
Posts: 3249
Joined: Thu Aug 14, 2008 12:30 am


Return to Joomla: Nice PayPal Downloads

Who is online

Users browsing this forum: No registered users and 0 guests