Running 4.2.5 and got an email last month from PayPal that says the following:

--

https://vborg.vbsupport.ru/external/2018/01/6.png

It was my understanding that 4.2.5 fixed the IPN postbacks to HTTPS issue within vBulletin. Are they saying I need to move my forum completely over to HTTPS? Was planning to do this anyway in Q1, but just curious if anyone had insight here. Thanks.

From the paypal site ;

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

The part in bold is the https postback to paypal, that was fixed to be correct in 4.2.4 onwards.

The second part (in red) confirms that you do not need to use https on your website for the calls from paypal.


(https://www.paypal.com/en/webapps/mpp/ipn-verification-https)

From the paypal site ;



The part in bold is the https postback to paypal, that was fixed to be correct in 4.2.4 onwards.

The second part (in red) confirms that you do not need to use https on your website for the calls from paypal.


(https://www.paypal.com/en/webapps/mpp/ipn-verification-https)

Thank you, Stingray.

As a follow up here, I emailed PayPal and was told that the IPN listener I use must be SSL. Does anyone know which file serves as the IPN listener for vBulletin?

As a follow up here, I emailed PayPal and was told that the IPN listener I use must be SSL.
Again, this is not the information on their site ;

https://www.paypal.com/in/webapps/mpp/ipn-verification-https

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

Again, this is not the information on their site ;

https://www.paypal.com/in/webapps/mpp/ipn-verification-https

Here's my full exchange with them:

https://vborg.vbsupport.ru/external/2018/01/10.png

That means that your site should run on HTTPS, or only your payment gateway script.

That means that your site should run on HTTPS, or only your payment gateway script.

They just came back with this:

https://vborg.vbsupport.ru/external/2018/01/11.png

In that case your forum does not need HTTPS, looks like they got confused about the question.

Yep, their support gave you wrong information.

Only the postback from you to paypal must be https, there isnt any requirement for your end to be https.