Checkout by Paypal: Encrypted website payments?

Freelancealot

Joined: 2009-08-18
Posts: 36
Posted: Tue, 2009-08-25 02:01

Hi,

Hope this is the correct forum to address this question to:

I've just activated the 'Checkout by Paypal' module in Gallery2, and everything seems to be working okay so far. However, the Paypal account has use "Encrypted website payments" set up so you just get sent to a page with "Error Detected" and the info:

Quote:
The seller accepts encrypted website payments only. You cannot pay the seller through un-encrypted buttons. Please contact your seller for more details.

Is there a solution to making the Paypal Checkout module work with this setting in the Paypal account? I'd prefer it for security purposes.

Thanks for your help in advance.

Cheers,

Tracy
 
alecmyers

Joined: 2006-08-01
Posts: 4338
Posted: Tue, 2009-08-25 08:21

Tracy,

There is no mechanism to use encrypted website payments with checkoutpaypal. You will have to unset that option in your paypal account.

On the subject of security: Somebody can spoof either a lower payment, or insert additional products on their order if they wish, or change the prices, even, but the amount of money they pay is cross-checked (securely, using the IPN mechanism) with Gallery/checkout's original data before marking an orders as "paid" and the list of products within checkout is not drawn from any paypal information received, so there's no way to insert the spoofed information back into gallery/checkout. To the best of my knowledge therefore there is no attack vector that "secure payments" would prevent.

If you know different, obviously I'd like to hear by pm.
 
Freelancealot

Joined: 2009-08-18
Posts: 36
Posted: Tue, 2009-08-25 13:44

Thanks Alec,

I know nothing....! ;)

That's really been helpful. Unfortunately, the site is for a client, and I'm not too sure they'll switch the setting off as they use encrypted Paypal buttons on other sites. I'm checking with them....if not, I guess they'll have to do without Paypal :)

Thanks for your help.

Cheers,

Tracy
 
alecmyers

Joined: 2006-08-01
Posts: 4338
Posted: Tue, 2009-08-25 14:03

You could (one could) write the necessary code, I suppose - but I don't see a pressing need.
 
Freelancealot

Joined: 2009-08-18
Posts: 36
Posted: Tue, 2009-08-25 17:55

Hi,

I don't really know enough about that side of things, unfortunately. I'm going to leave it up my client.

Thanks for you help.

Cheers,

Tracy