SSL Vulnerabilities: POODLE
This year has not been a good year for SSL — one of the fundamental protocols relied on for secure communication. Last week saw the announcement of the POODLE vulnerability.
Here's what you need to know: FoxyCart has patched our servers against POODLE. Your store is safe!
We have also ensured that all of our payment gateway connections use only the latest versions of SSL. Most gateways have disabled older versions of SSL in response to the POODLE advisory. You may have gotten an email from Authorize.net or another provider this week warning about the impending shutdown of their SSLv3 support. Don't worry! We've tested things out and your store will continue to work as normal.
Related to BEAST and CRIME/BREACH, the POODLE attack forces the victim to use an older version of SSL, namely SSL version 3" abbreviated SSLv3. Because of weaknesses in SSLv3's ciphers, the attacker can attempt to extract secret information byte-by-byte with a "padding oracle" attack. This requires that an attacker sit between the victim and the server the victim wants to communicate with, that the attacker be able to inject code into a plain-text site on the same domain. The injected code tricks the victim's browser into sending several thousand requests to the server, which the attacker uses to guess parts of the encrypted data.
The collective response from Internet services everywhere was to disable SSLv3, and we've followed suit. The recommendation from Google is also to add a protection that prevents an attacker from forcing a protocol downgrade, and we've added that to our servers at FoxyCart. Additionally, newer versions of Chrome will disable SSLv3 by default.
In an analysis of our systems, we didn't find any particularly easy attack vector — 99% of our traffic is over SSL, preventing script injection, and browser same-domain origin policies make it difficult to mount a POODLE-based attack on FoxyCart. As always, we will keep monitoring our systems for anomalous activity.
Photo by Peter Roome
The views expressed in the above post are the author's own, and may not reflect those of FoxyCart.com LLC.