Return encryption non-ssl or https - is it necessary?

Hi all,

I'm working on a non-active merchant setup through paypal using just the
standard plan, which is currently free.

I've already setup my site with IPN and openssl cert/pems. I'm passing
all data to paypal 100% encrypted and have configuration on paypal set
to only accept encryption connections.

However, I noticed through firefox that after I purchase on the sandbox
test platform that I receive a message that although this page is
encrypted the information you are about to send will be sent over an
unencrypted connection..

Is this a problem? I am using the Ryan Bates tutorial railscast epp.
141, 142, and 143. I have everything working 100% and tested IPN
returns through localhost using curl. Everything is sent encrypted but
everything returned from paypal appears unencrypted.

Is there something that I need to do on my end? I know this won't
happen if my site were https but I'm not going to be able to do that.

I have it set so that the return payments notification url passes a
secret key so that when it returns it has to match up in order to be
valid from paypal. I also test against several other return parameters.

While the request sent to paypal cannot be spoofed currently, I'm
worried that the return from paypal can and what I can do to protect
that using their gateway.

Thanks in advance for any advice and input on this.

I think I figured it out but I just can't test it yet. There's a
website configuration within profile on paypal's site that sets an
autoreturn that's supposed to fix the return encryption issue that shows
on browsers like firefox.

I just can't test it right this minute because when you develop on
localhost, you can't use auto return and paypal won't send anything to a
localhost configured address.

I've used the curl commands to simulate everything returned and for
setting up order transactions. I'll just have to test it privately in
production when I get ready for that phase.

If anyone can confirm/deny this, please let me know. I'm trying to make
sure I have a minimal amount of angst in production.

Thanks.

Alpha Blue wrote:

I just can't test it right this minute because when you develop on
localhost, you can't use auto return and paypal won't send anything to a
localhost configured address.

It sounds like you need a staging server.

DyingToLearn wrote:

Alpha Blue wrote:

I just can't test it right this minute because when you develop on
localhost, you can't use auto return and paypal won't send anything to a
localhost configured address.

It sounds like you need a staging server.

Well, next year I shouldn't have the same issues I'm having right now.
I plan on having a staging server, a multi-tiered slice environment with
nginx or similar on frontend, and housing my db completely separately on
another slice and my content on yet another slice. This will help me
with development and load balancing my app during heavy seasonal
traffic.