Cybersource Developer Community Cybersource Developer Community

RichardH · ‎04-24-2015

Authorize.Net will upgrade and replace Production certificates for API services starting May 26, 2015. Technical details are provided for solutions connecting to Authorize.Net APIs that may need updates.

To see the full announcement, please see this blog post.

RichardH · ‎04-30-2015

@Christophe

We're not removing TLS 1.0 at this time, but merchants are always encouraged to support the strongest protocols possible which is currently TLS 1.2.

Richard

Lilith · ‎04-30-2015

@Dave51, can't you spoof IP addresses as well? In which case, direct IP address connections don't automatically provide more security, and in fact can defeat security since you have to disable TLS domain verification to connect.

We don't whitelist merchant IP connections. We do expect merchants to connect to our API endpoints by domain name and fully utilize TLS to secure the connection, however.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

tpeierls · ‎05-07-2015

I just tested with test.authorize.net instead of secure.authorize.net and had no problems. Using Java 7 but didn't install any of the new certificates. Is test.authorize.net already enforcing SHA-2 or do I have to create a sandbox account?

flinacio · ‎05-14-2015

My company has some security limitations regarding dynamic IPs and domain connections, does anybody know when this infrastructure update is going to be implemented on production environment?

RichardH · ‎05-14-2015

Hello @flinacio

We are still waiting for the schedule for production. We will publish the information here as soon as possible.

Richard

RichardH · ‎05-14-2015

This Just In!

Our production release will occur around the first part of August. More details will be available in the next week or two and will be posted here in the community as well as through email to merchants, partners and developers.

Richard

Msimpson · ‎05-14-2015

Hello,

Will you please explain how can I know if I need to do anything about this? What are the use cases where I would need to do something?

I have a website with a secure certificate installed that connects to Authorize.net. Is this a use case where I would need to check and or do something?

Please be specific as I'm new to ssl. Thanks in advance.

icarroll · ‎05-15-2015

Hello.

We use the simple SIM (XML based) method to POST transactions to Authorize.net.

How do these certificate changes affect us or people like us?

Is this specific only to people using AIM?

Thanks!

RichardH · ‎05-15-2015

@Msimpson

The upgrades applies to all API endpoints your application may be using with HTTPS at Authorize.Net.

@icarroll

The impact for SIM is low since it is browser-driven and they already support these changes. If your implementation also connects using the Authorize.Net API (AIM), you will of course need to support these changes.

Richard

Lilith · ‎05-15-2015

@tpeierls Sorry for not responding sooner.

SHA-2 is a hash used to sign certificates (among other things) so it's not a matter of whether we're enforcing it, but whether your software will be able to use SHA-2 to validate our certificate's signature. SHA-2 has been around for over a decade at this point, so really we're concerned about legacy software here.

The certs on test.authorize.net and the rest of our Sandbox environment are currently signed using SHA-2. If your software can connect to test.authorize.net right now, you should be good on that front.

In August there will be other certificates your software will need to validate, also signed using SHA-2. And test.authorize.net should have that in place as well.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

Cybersource Developer Community Cybersource Developer Community

Production Certificate Upgrades begin May 26, 2015