Well I found out, that I need to encrypt the form myself, wich is not as easy, being 2 days, got the certificates with openSSL and everything, however the rest....
I found this in another forum, but I just cant understand how to implent it, and how it can work:
You don't have to encrypt. Simply take the 'custom' variable, and, among other things you might need to put in there, add a hash of the price and product number, like so:
$sCustom .= '|' . md5($sSalt . $sProduct . $sPrice);
Then, when the IPN is processed, ensure that this hash was not disturbed with what is received back. If it was, then block the transaction."