MADKing wrote:
Hi,
can I use a own, real SSL instead of the open SSL for Paypal?
I already have a SSL Cert but do not know what file I have to you if it is possible.
Files are:
domain.com.cabunble
domain.com.crt
www.domain.com.crt
domain.com.csr
Thnx
Post edited by: MADKing, at: 2009/04/26 04:37
Yes, you can use your own existing SSL keypairs for Paypal. provided they are in the format requested by Paypal.
However, ususally those are valid only a year or two years, or even less, and having officially signed keypairs used here does not provide additional security, as Paypal does not verify the signature anyway.
Using short-lived keypairs here is programming trouble at expiry, as the payments will suddenly stop working at expiry.
That said:
Using SSL keypairs is not required at all and brings only a slight improvement in security compared to all checks already done by CBSubs (which are way above the average Paypal implementations).
The benefits that you get by using the SSL keypairs are following:
1) totally hide your paypal email from purchasers
2) hide all params of the purchase from purchasers in the paypal payment button.
3) if setting in paypal admin is to only accept encrypted payments, avoid anybody else selling things and generously sending money to your account.
4) additional level of prevention of tampering (but see below)
However both 1) and 2) and 4) and more is checked anyway by CBSubs and can not be tempered by users (e.g. a user changing amount, email or products purchased (and many more) will be detected as a fraud attempt by CBSubs and rejected and logged).
So the only real benefit of SSL keypairs are imho:
1) hiding email which is not visible to bots anyway in the way CBSubs are implemented, and
3) preventing someone collecting money for you
That's why if you want to use certs, you should use very long lived SSL certs (paypal does same, they are 30 years valid!) and not existing short-lived SSL certs.