PayPal and Authorize.net Respond to the POODLE Vulnerability: Blog Update

We've taken every precaution to protect Miva users from the POODLE vulnerability and now PayPal and Authorize.net have a few things to say to the businesses reliant on SSLv3. The following information is for those of you that are not hosted with Miva. On October 24th 2014, PayPal came out with a statement asking SSLv3 users to disable the possibly tainted Secure Sockets Layer. To help streamline the process and to protect your internet business from harm PayPal put together a comprehensive Merchant Response Guide. The guide will walk you through all the steps needed to secure your site from the security vulnerability POODLE.  Click here to get started.

Authorize.net has released a similiar statement, saying "Authorize.net itself is not vulnerable to POODLE, but we are making changes to our systems to assure that we are providing our merchants and their customers with the highest degree of sucurity possible." – Authorize.net email correspondence October 28th, 2014.

On Novermber 4th, 2014 Authorize.net will be disabling the use of SSLv3. This means any merchants using SSLv3 will no longer be able to process transactions. To ensure your site from being affected by the disabling, Authorize.net has asked that you contact your shopping cart solutions provider. Remember this does not include those of you operating on Miva as we have already resolved the issue. 

Click here for more information from Authorize.net or read on to learn about the POODLE Vulnerabilty and Miva. Blog oroginally posted on October 17th, 2014. 

________________________________________________________________________________________________________________________________________

The POODLE has left the building. No, don’t be sad, it’s not the fluffy four-legged kind, it’s the slimy, sneak attack hijacking kind. Yes, yet another security “bug” or dog in this case, is causing slightly less panic than “Shellshock” but still requires precautions.

The security hole was discovered by three Google security researchers, in a basic protocol used for encrypting web traffic. The Padding Oracle on Downgraded Legacy Encryption – POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, a function used to encrypt traffic between a browser and a website, or a user’s email client and mail server.

POODLE attacks javascript and the attacker has to be on the same network as you, thus making the vulnerability less severe than its predecessors. Eliminating an attack from happening remotely means that the real threat is on any shared network–example, the abundant, around-the-clock, always-in-demand Starbucks Wi-Fi.

POODLE does not contain the capabilities to hack on your personal computer, “but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.” Blog Post – Wired Magazine 10.14.14

To avoid POODLE from attacking your network, Google’s security team has recommended that systems administrators simply turn off support for SSLv3. We have resolved the issue by disabling SSLv3 so anyone hosted with Miva can rest assured. Anyone not hosted with Miva should contact their administrators and ask that they follow suit. Those of you running old versions of the Miva Engine 5.16 and lower will need to upgrade to the latest engine release, which we’ve done for all of our hosting clients already.

To learn more about POODLE click any of the recourses below.

Cloudflare.com

Wired