A new security flaw was discovered yesterday which affects the SSL 3.0 protocol.
For a brief summary, the POODLE bug – which is Padding Oracle On Downloaded Legacy Encryption for short – makes it possible for third-parties (MITM = man in the middle attack) to access private data while you’re browsing online.
Internet Explorer 6.0 on Windows XP still relies on this protocol, but fortunately it only represents a very small percentage of global internet traffic. POODLE wouldn’t be as serious without the possibility of the MITM attacker being able to downgrade modern browsers down to SSL 3.0 which mostly every browser is allowing unless you have explicitly disabled it.
But as always, we take every bug very seriously and our engineering team was immediately on it and implemented the following measures:
- We have removed SSL 3.0 on our servers for our Merchant Centre, and website.
- SSL 3.0 support for our API will be discontinued entirely on November 15th, 2014
What should you do?
Please note after November 15th 2014, transactions on your website could fail when using outdated browsers and operating systems.
Make sure you take these necessary steps:
- Notify your customers to disable directly SSL 3.0 in your browser by November 15th, 2014 and that they also update their browsers to the latest version.
- Keep your systems and applications updated
- Make sure you’re using the latest version of your e-commerce platform
- Check your server isn’t sending requests through SSL 3.0
- Remove SSL 3.0 entirely on your server
- Upgrade your server that he uses TLS 1.0 or later
Plugins to update
We’ve identified the following PAYMILL plugins to be vulnerable to the security bug. If you’re using any one of them, we advise you to update to the latest version:
- Magento Plugin 3.0.0. or earlier
- OXID Plugin 2.0.0 or earlier
- Gambio Plugin 1.0.4 or earlier
- osCommerce Plugin 1.0.5 or earlier
- xtcommerce Plugin 1.0.4 or earlier
- xt:commerce 4 Plugin 2.1.0 or earlier
- PrestaShop Plugin 1.1.0 or earlier
- Shopware Plugin 1.1.0 or earlier
- Opencart Plugin 1.0.3 or earlier
- JTL Plugin 1.1.0 or earlier
If you’re using the PAYMILL PHP wrapper and have removed SSL 3.0 from your server, you will need to change one line of code in the Paymill/Apiclient/Curl.php file. You can find this file in the PHP Wrapper or in the PHP Wrapper folder of the specific plugin.
All you need to do is DELETE this line around 108
CURLOPT_SSLVERSION => 3
When this line is deleted, it will take the lowest security protocol is supported by your e-commerce platform and server.
We’ll be keeping you updated on POODLE and further measures. In case you have any questions, let us know by sending an email to our support team.