Posted by Patrick Chanezon, Google Checkout Team
This post is relevant to merchants that completed a level 2 integration using the order processing API. On May 10, we will update the SSL certificate for checkout.google.com from a wildcard certificate (*.google.com) to a certificate specifically issued for checkout.google.com.
If you use the order processing API, it's important that your code follows the security guidelines outlined in the API documentation.
We also strongly recommend that you verify the authenticity of the server certificate whenever you make the HTTPS connection with Google. Before you send any data or do HTTP Basic Authentication, please verify that:
- the server certificate belongs to checkout.google.com or sandbox.google.com
- the server certificate was signed by the appropriate Certifying Authority
- the certificate has not expired
Once this change has been made, your production code should validate the SSL certificate against checkout.google.com, not *.google.com. Note that this change will not affect you if you use any of the
sample code packages.
Permalink
| |