A few weeks ago on October 14th, three researchers on the Google Security Team exposed a vulnerability in Secure Sockets Layer (SSL) version 3 and its ability to be used by hackers to download and decipher supposedly encrypted data. This vulnerability is being referred to as POODLE, which stands for “Padding Oracle On Downgraded Legacy Encryption.” For the non-tech savvy, this means that if someone gains access to your network through Wi-Fi, they are able to force your web browser, site, or email server to downgrade to using an older form of online protection, SSL version 3.
Why would they want to control which SSL version you are using? Well, what the Google researchers really found out is that there is a vulnerability built directly into version 3, causing it to always be open to attacks from hackers. By causing your web browser, site, or email server to downgrade its protection, they are then able to bombard it with numerous requests for information. Eventually, this allows them to decode the encryption and steal readable personal information.
Luckily, SSLv.3 has previously been updated to a more secure process called Transport Layer Security (TSL). Most servers already use this successor to SSL, but retained the ability to downgrade occasionally to SSLv.3 if necessary in order to access a site or application which has not been updated to use TSL instead. It is this ability to downgrade for the purpose of interoperability which hackers can take advantage of, allowing them to then use the built-in vulnerability to steal what is supposed to be secure data.
As mentioned, most web browsers have already updated their protection to use TSL instead. Therefore you are only open to this kind of attack if you are using an older browser, most notably Internet Explorer 6. Recent Mozilla Firefox releases still included the ability to downgrade to SSLv.3 if necessary to access a server which still uses it, but in their upcoming update release on November 25th they will be deactivating this ability. Google Chrome can also still use SSLv.3 currently, but users have an ability to turn this off within the browser’s options.
Authorize.Net released a notice about POODLE on October 28th, informing merchants that they will be disabling any possibility of Authorize.Net transmitting data via SSLv.3 on November 4th. All merchants need to make sure that their websites and shopping carts do not use SSLv.3 before that date, or they will be unable to successfully process transactions until they do update it. If you are a merchant and uncertain whether your processes use it or not, please make sure to contact your web developer or shopping cart solution to find out.
As always, our team here at eCom Merchant Solutions, Inc is always available to answer any questions you might have regarding your merchant and gateway accounts. Please feel free to email us with any concerns you might have regarding POODLE and Authorize.Net’s deactivation of SSLv.3 capabilities, and we would be happy to research the issue for you and do our best to provide a solution.
You can find the original paper that Google released about their findings on this vulnerability here: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html