Is it necessary to serve a paypal hosted button from a web page that has https or is http secure enough?

Question

I performed a 'web vulnerabilty scan' on my website. (from this company http://www.acunetix.com/) and there were some medium level threats. So here's the one I would like to ask about.

...........................

Alert:

Insecure transition from HTTP to HTTPS in form post.

Description:

This form is served from an insecure page (http) page. This page could be hijacked using a Man-in-the-middle attack and an attacker can replace the form target.

Impact:

Possible information disclosure.

....................................

I am aware that SSL should really be used on any page where sensitive information is entered by the user such as credit card details. However in the form that this threat was referring to, I am using a paypal hosted button which goes directly to paypal. There is no sensitive data passed from the form, just the price and and item name. Is this a threat in this case? Is it necessary to have https on the page with the hosted button? Here is the form from the hosted button. thanks a lot for any advice, Sarah

<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">
        <input type="hidden" name="cmd" value="_s-xclick">
        <input type="hidden" name="hosted_button_id" value="YK6RA88XCE69G">
        <table>
        <tr><td>
        <input type="hidden" name="on0" value="Ableton Course Fees"></td></tr>
        <tr><td>
        <select name="os0">
            <option value="Full Payment">Full Payment &euro;275.00 EUR</option>
            <option value="Deposit Payment">Deposit Payment &euro;100.00 EUR</option>
        </select>
        </td></tr>
        </table>
    <input type='hidden' name='cancel_return' value='http://www.funkdafone.com/finalne4/cancelled.php'>
    <input type='hidden' name='return' value='http://www.funkdafone.com/finalne4/confirmation.php'>

    <input type="hidden" name="currency_code" value="EUR">
    <input type="image" src="https://www.sandbox.paypal.com/en_US/GB/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
    <img alt="" border="0" src="https://www.sandbox.paypal.com/en_GB/i/scr/pixel.gif" width="1" height="1">
</form>

Answer 1

Basically when you use PayPal Hosted button you don't need to really worry about Https or http. Eventually, the encrypted information to being passed to https://www.paypal.com .

• So, since the checkout page is hosted by PayPal, you are already secure and PCI compliance is taken care too.

• If you are using your own checkout page(for example, Dodirectpayment where you collect the buyer credit card information), then you need to be PCI compliant and SSL(https) is recommended for additional security.

Answer 2

Yes, ideally you should ensure that your whole site uses HTTPS before redirecting to PayPal. However, this could have extra performance challenges as site-wide SSL (i.e. HTTPS) increases CPU load slightly: According to Google, +1% CPU and +2% network bandwidth.

Why should I use HTTPS everywhere?

Say your site is loaded over plain HTTP and the user reaches the checkout at:

http://example.com/checkout.php

This contains your above code to redirect the user to PayPal:

<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">

Now if there's an attacker on the user's network (say that the user and the attacker are both at a coffee shop using the wifi there), the attacker could use a tool such as sslstrip to MITM the connection from the user to your website. This will dynamically change your page's form to plain HTTP when presented to the user:

<form action="http://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">

Now when the user clicks to go to PayPal the connection is again MITM'd, allowing the attacker to intercept passwords, credit card and address details. So rather than the connection being:

User --> Coffee Shop Router --> PayPal

it will be

User --> MITM Attacker --> Coffee Shop Router --> PayPal

Of course the user may notice that their connection to PayPal is not HTTPS (their browser will show http://www.sandbox.paypal.com in the address bar without the padlock), but they might not - with consequences. This is why you should not have redirect pages to payment sites over plain HTTP - to protect your users. With SSL on your site the user will be able to trust your site at checkout stage (as it will be served over HTTPS and the padlock will be in the address bar) and will be able to follow the checkout process to PayPal securely.

In Your Case

Having said that, as you are not sending anything confidential in the form request from your site to PayPal, there is good chance that a user will notice that they are not on the secure version of PayPal before entering any details. If your form contained information that if an attacker could intercept instantly by their sslstrip attack, then your site would be much more of a risk.

In conclusion, it appears you may be able to accept the risk here as it is low. I would recommend HTTPS site-wide if it is within your means. Either way, always encourage your users to check the address bar and padlock before entering their PayPal login or their card details. In that case repeat customers will be more likely to spot if their connection had been MITM'd when visiting your site from different locations.