The Authorize.Net Developer Blog

Posts from Authorize.Net employees, community members and experts about integrating with the Authorize.Net Payment Gateway: sample code, tutorials, and problem-solving techniques, just to name a few.

Authorize.Net Begins Infrastructure and SHA-2 Certificate Upgrades

by Administrator Administrator on ‎03-23-2015 09:00 AM (405,236 Views)

Authorize.Net is upgrading our infrastructure to enhance system performance and security. The changes will be made to our sandbox environment first with updates to production following at a date still to be determined.

 

Our IP addresses will change to become dynamic rather than limited to a small range of static IPs. If your solution uses a firewall to filter outbound connections, we encourage you to make sure that the firewall is set to allow connections by domain rather than IP address. Direct connections via IP address are strongly discouraged and will soon be disallowed.

 

The infrastructure upgrades to the sandbox will begin on Tuesday, March 31st. The date for production is TBD, and we will post another announcement once that date is finalized.

 

To ensure your solution works with the infrastructure changes, please validate the following:

 

  • Your certificate store includes certificates for Root 2 - GeoTrust Global CA
  • Your security transport—the part that negotiates TLS—supports SHA-256
  • Your solution does not connect directly to Authorize.Net using an IP address
  • Your solution’s firewall is not set to whitelist Authorize.Net IP addresses for outbound connections

Security Certificate Upgrades

 

The security certificates used by Authorize.Net for our sandbox and production payment gateway are currently signed using Security Hash Algorithm 1 (SHA-1). Along with the above changes, we will also update our certificates so that they are signed using Security Hash Algorithm 2 (SHA-2).

 

The upgrade to SHA-2 conforms to a change among server and browser manufacturers to deprecate use of SHA-1:

 

  • Microsoft announced in late 2013 that they would no longer accept SHA-1 signed certificates which expire after January 1, 2017:
  • In September 2014 Google announced that the Chrome browser would gradually depreciate SHA-1 support, and would also reject SHA-1 signed certificates which expire after January 1, 2017. In addition, SHA-1 signed certificates which expire in 2016 would be flagged as secure but with errors.
  • Also in September 2014, Mozilla announced that they would also reject SHA-1 signed certificates that expire after January 1, 2017. Mozilla is the basis of a family of browsers, the most well-known being Mozilla Firefox.

While most modern operating systems and web servers support SHA-2, there is a concern that older software—especially software based on outdated versions of Java—may not adequately support SHA-2.  We are upgrading our sandbox environment first so developers can validate that their solutions will continue to work using SHA-2 signed certificates, prior to making the same changes to the production environment.

 

After the update is complete, any software which cannot validate an SHA-2 signed certificate will fail to connect to Authorize.Net servers.

 

Richard

Authorize.Net Developer Community Manager