Poodle Isuue: Paypal To Disable SSL 3.0 Support In Immediate Fature
Recently, it has been discovered that an internet security protocol called SSL 3.0 is not so secure as it was supposed to be. The vulnerability affecting this widespread but 15 year old security protocol is called “POODLE” by many in the industry. This vulnerability is of concern, because it allows a cyber-criminal to gain access to connections that have been secured via this security protocol.
This is a hosting configuration issue, which is unrelated to Magento. However, it certainly has implications for merchants that use PayPal. This issue also affects other payment gateways that accept SSL 3.0. This issue gains prominence because Paypal as well as other payment gateways are planning to disable SSL 3.0 support in the immediate future, so that this vulnerability can be addressed.
Let us look at the scenario with Paypal. Here, merchants are required to disable SSL 3.0 in hosts that interact with PayPal prior to December 3, 2014. They will be required to upgrade to Transport Layer Service (TLS) so that they can avoid experiencing Payment Operation Failures. A Merchant Response Guide has been provided by PayPal on its blog, so that merchants are able to address this issue.
It is also possible for merchants to reach out to their hosting provider to help with the changing protocols. They can also double check the domains of other payment gateways they use, so that they can verify if they are affected by POODLE. This verification can be done with the help of the POODLE Scan Testing Tool. Further information and useful analysis of the POODLE issue is also available on Google, if merchants are interested in looking for additional information.
Once again, this issue is actually an SSL 3.0 protocol security exploit. It is not a security issue with either PayPal or Magento. The decision taken is that SSL 3.0 will not be supported in the near future so that this exploit can be prevented.
Following are the next steps for merchants that use PayPal.
- You will be required to test the current integration against the Paypal SandboxPoint test environment to the PayPal Sandbox. Check the log files. If the clients is using SSL 3.0, they will need to configure their secure connection to use the transport layer service (TSL). The merchant response guide (MRG) provides more information to determine whether they are using SSL 3.0.
- Update to Transport Layer Service (TLS)Refer to the MRG on how to update to TLS using common languages and connection methods. Exact settings may vary.
- Issue new credentialsAfter the merchant has successfully tested and upgraded to TLS, it is recommended that they reissue as well as download the new Application Program Interface (API) credentials for any API request. This is a recommended step and not required. Hence, if the merchant is using certificate authentication, then no action is required. However, if the merchant is using Signature authentication, they are required to refer to the API Credentials page. Else, if the merchant is using OAuth authentication, they are required to visit the API Management page.
To conclude, Magento also has emailed its customers about the Poodle vulnerability, in which PayPal and other payment gateways are planning to disable SSL 3.0 support. The best way forward is to upgrade to the Transport Layer Service (TLS) before December 03, 2014, to avoid experiencing payment operational failures.