Status of SHA-256 on App Engine for PayPal?
256 views
Skip to first unread message
Brian
Mar 24, 2015, 9:11:33 AM3/24/15
to google-a...@googlegroups.com
PayPal has recently announced their transition from SHA-1 to SHA-256. The announcement includes the following:
What is the Google App Engine schedule to move to SHA-256?
If PayPal moves to SHA-256 before Google does, is there a workaround I can use to keep my site PayPal transactions working?
"...our efforts to upgrade SSL certificates for our production endpoints are scheduled to start in May 2015, and will continue into next year... you may be required to implement these changes prior to the dates listed on the microsite. Otherwise, you may not be able to process payments through your current integration with PayPal..."
What is the Google App Engine schedule to move to SHA-256?
If PayPal moves to SHA-256 before Google does, is there a workaround I can use to keep my site PayPal transactions working?
Jeff Schnitzer
Mar 24, 2015, 2:24:35 PM3/24/15
to Google App Engine
What part of app engine are you asking about?
Jeff
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/068d4a36-b3e0-4ab2-881e-5a35690f4c43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brian
Mar 25, 2015, 8:14:21 AM3/25/15
to google-a...@googlegroups.com, je...@infohazard.org
Hi Jeff,
My knowledge around security and encryption is limited, but I assume it's all part of the delivery of https protocol services. The two basic use cases are:
1. When a customer on my site initiates a purchase, data such as seller id, product name, quantity, and price are sent over https to PayPal where the customer completes the purchase on PayPal's UI and infrastructure.
2. When PayPal confirms payment of the transaction (sometimes several days later if an eCheck was used) then PayPal will send confirmation to my site's IPN endpoint over https, which then triggers my order fulfilment process.
The way I understand it, after PayPal's end date for SHA-256 implementation, my https transactions with PayPal will fail if Google does not support SHA-256 encryption within the https protocol scheme.
Let me know if you can clarify anything. Thanks!
Brian
My knowledge around security and encryption is limited, but I assume it's all part of the delivery of https protocol services. The two basic use cases are:
1. When a customer on my site initiates a purchase, data such as seller id, product name, quantity, and price are sent over https to PayPal where the customer completes the purchase on PayPal's UI and infrastructure.
2. When PayPal confirms payment of the transaction (sometimes several days later if an eCheck was used) then PayPal will send confirmation to my site's IPN endpoint over https, which then triggers my order fulfilment process.
The way I understand it, after PayPal's end date for SHA-256 implementation, my https transactions with PayPal will fail if Google does not support SHA-256 encryption within the https protocol scheme.
Let me know if you can clarify anything. Thanks!
Brian
Barry Hunter
Mar 25, 2015, 8:26:31 AM3/25/15
to google-appengine
The way I understand it, after PayPal's end date for SHA-256 implementation, my https transactions with PayPal will fail if Google does not support SHA-256 encryption within the https protocol scheme.
Do you have evidence that Google doesn't support SHA-256 Certificates? (I guess in this case via URLFetch)
(Note SHA-256 is not encryption, its how the certificates are validated)
If Paypal is talking directly with users, then its upto if the the users browser supports such certificates.
(and at worse, supposing URLFetch doesnt work with such certifcates, could perhaps just validate_certificate=FALSE, or even bypass URLFetch via teh sockets API)
Brian
Mar 25, 2015, 1:37:42 PM3/25/15
to google-a...@googlegroups.com
On Wednesday, March 25, 2015 at 7:26:31 AM UTC-5, barryhunter wrote:
Do you have evidence that Google doesn't support SHA-256 Certificates? (I guess in this case via URLFetch) (Note SHA-256 is not encryption, its how the certificates are validated)
I don't know one way or another -- that's why I thought I'd ask. I've heard that Google is encouraging the rapid migration away from SHA-1, but I could not find any announcements from Google about their own schedule for this -- especially for App Engine and if they will be supporting SHA-256.
If Paypal is talking directly with users, then its upto if the the users browser supports such certificates.
(and at worse, supposing URLFetch doesnt work with such certifcates, could perhaps just validate_certificate=FALSE, or even bypass URLFetch via teh sockets API)
I believe the user's browser is responsible for part of the transaction, but with their IPN solution my app (on App Engine) first needs to request a transaction id, then after PayPal confirms the payment has cleared they will POST to my app's IPN endpoint.
Maybe someone from Google could chime-in and let us know what's up?
Brian
Jun 5, 2015, 5:09:13 PM6/5/15
to google-a...@googlegroups.com
FYI: I did try the PayPal updated sandbox environment with my App Engine app a few weeks ago, and it seemed to work okay.
An issue was opened several years ago requesting better documentation around these concerns, please star it to increase the priority:
https://code.google.com/p/googleappengine/issues/detail?id=5266
Also, another user has opened a new thread regarding this issue, and Nick from Google has responded:
https://groups.google.com/forum/#!topic/google-appengine/oinyMmcoWOg
An issue was opened several years ago requesting better documentation around these concerns, please star it to increase the priority:
https://code.google.com/p/googleappengine/issues/detail?id=5266
Also, another user has opened a new thread regarding this issue, and Nick from Google has responded:
https://groups.google.com/forum/#!topic/google-appengine/oinyMmcoWOg
Reply all
Reply to author
Forward
0 new messages