PayPal SHA-256 Compliance and what it means

This week PayPal have been sending out scary emails and causing a lot of panic, these emails are titled:

“IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades.”

The problem is they are sending them to anyone who has used affected services such as Instant Payment Notifications (IPN) which is used by LOADS of consumer themes and plugins for WordPress, 99% of these people are layman but the email does not explaining things in layman terms. So what does it mean in layman terms?

Why are these changes being made?

The changes are all to do with encryption, encryption is used to send important information over the internet so that hackers can’t read this important information and do bad things with it.  For years and years the SHA-1 encryption has been used and this has been sufficient but due to mostly the increase in computing power these SHA-1 encryptions are becoming weaker and weaker so the industry as a whole, not just PayPal have agreed to move everything over to a new SHA-2 encryption which is several times stronger.

Where are these changes being made?

These changes to stronger encryption are being made on servers, in this case the paypal.com server.
When an IPN script on your server (yourwebsite.com) tries to communicate with the paypal.com server it used to send the information encrypted by the SHA-1 standard and basically all servers understand this and can read it but what PayPal is telling us now in it’s email is that from the 30 September 2015 (or maybe sooner) paypal.com will send information encrypted by SHA-2 standard which some servers (yoursite.com) with old versions of the un-encryption software will not be able to understand this and it could stop your payment system on your website from doing important things like marking a sale as paid or from telling you a payment has been reversed.

Who will these changes affect?

Most people will have nothing to worry about as this should be taken care of by your web host, people on shared hosting would not even have the ability to do anything about this as the changes that need to be made can only be done by a server admin and most likely will have been done a long time ago.  The server software that is fully compatible with the SHA-2 was released on the 1st June 2010 and there has been a new release of the software almost every month since then so the chances are the server your website is running on has been updated.

If you manage your own server or even a Virtual Private Server (VPS) there is a chance you could be affected.  The server software you need to be worried about is OpenSSL and the first version that was fully compliant was 0.9.8o, the “o” is an alphabetical release identifier and goes a,b,c,d…

How do I tell if I am affected?

There are a few different ways to check what version of the OpenSSL your website server is using but the easiest way is probably to create a PHP info file and open it in a browser.

1. Create a new file called info.php
2. Open the file and add the below code and save the file.
3. Upload the file to your website root, usually your “public_html” folder.
4. Open the file in your web browser yoursite.com/info.php if you have done things correctly you should see a page starting like this.
5. The title you want to search for is “openssl” which should take you to a section where it will reveal the version number, you just have to check the version is 0.9.8o or later.
   This is an example of a affected server as it’s version number of 0.9.8e is less than the required version of 0.9.8o
   
   And this is an example of a server not affected as it’s version number of 1.0.1e is greater than the required 0.9.8o
   

How do I fix it if I am affected?

If you need the answer to that question then you are not qualified to do it and you should find someone more qualified to apply the fix which should only take 5 minutes.