I'm working on a non-active merchant setup through paypal using just the
standard plan, which is currently free.
I've already setup my site with IPN and openssl cert/pems. I'm passing
all data to paypal 100% encrypted and have configuration on paypal set
to only accept encryption connections.
However, I noticed through firefox that after I purchase on the sandbox
test platform that I receive a message that although this page is
encrypted the information you are about to send will be sent over an
Is this a problem? I am using the Ryan Bates tutorial railscast epp.
141, 142, and 143. I have everything working 100% and tested IPN
returns through localhost using curl. Everything is sent encrypted but
everything returned from paypal appears unencrypted.
Is there something that I need to do on my end? I know this won't
happen if my site were https but I'm not going to be able to do that.
I have it set so that the return payments notification url passes a
secret key so that when it returns it has to match up in order to be
valid from paypal. I also test against several other return parameters.
While the request sent to paypal cannot be spoofed currently, I'm
worried that the return from paypal can and what I can do to protect
that using their gateway.
Thanks in advance for any advice and input on this.