Log in

No account? Create an account
21 January 2016 @ 02:13 am
PayPal breaks their API  
Starting from 2016-01-20 our old unit tests for PayPal integration functionality do not work anymore.
PayPal changed how their sandbox API works.

On January 19-20, 2016
The Sandbox endpoints will be upgraded to new SHA-256, 2048-bit certificates:
After June 17, 2016
The Production endpoints will be upgraded to new SHA-256, 2048-bit certificates:

Here's the upgrade instructions from PayPal
How to Update to Prevent Service Outage
To prepare for these changes, please use the checklist below to ensure everything has been upgraded completely:

Talk to the technical contact or 3rd party partner that you used to create the checkout.
Save the VeriSign G5 Root Trust Anchor in your keystore.
Upgrade your environment to support the SHA-256 signing algorithm.
Perform end-to-end testing of the integration against the Sandbox / Payflow Pilot environment (including Instant Payment Notifications (IPN), Payment Data Transfer (PDT), and Silent Posts).

Why do I need to save certificates into my keystore in order to maintain PayPal integration?
Why cannot they use our standard SSL certificate that we already have installed on our web server?

Why PayPal gives no instructions about how to "Upgrade our environment to support the SHA-256"?

It looks like PayPal architects simply do not care about what their customers (developers) will have to go through in order to maintain their API.

Ironically, revenue from PayPal is less than 10% of our revenue, so maintaining all that complexity associated with PayPal API integration does not make sense.

Facebook discussion
serjiojitserserjiojitser on January 21st, 2016 02:50 pm (UTC)
ex_juan_gan on January 21st, 2016 05:29 pm (UTC)
Because they can. And they don't want to take a blame for using weaker encryption/signing.

Of course, seriously, I'd give customers a grace period, accepting both current certs and new ones.

We have a similar problem, but we are not PayPal, so I'm trying to figure out how to enforce good security without losing partners.
Dennis Gorelikdennisgorelik on January 21st, 2016 07:15 pm (UTC)
> Because they can.

They can only in the sense that they can afford to lose a lot of business.

I am sure that Stripe is happy to pick up more former PayPal customers.

It is probably easier to create new integration with Stripe than upgrade existing API integration with PayPal.

We have a similar problem, but we are not PayPal

> grace period, accepting both current certs and new ones.

PayPal does that - 1 year. 6 months are gone already. We still have 6 more months.
But these remaining 6 months will be gone fast.

> how to enforce good security

Why enforce good security?
Why not just keep good security as an option?

If client does not care about extra security - why enforce it?
ex_juan_gan on January 22nd, 2016 10:20 pm (UTC)
Clients! Something breaks, it's our fault.