An issue impacting SSL connections has recently been revealed as POODLE – Padding Oracle On Downgraded Legacy Encryption. It was disclosed to the public in October, by engineers working for Google.
POODLE means that encrypted communication using the SSL 3.0 protocol can be decrypted, which could be highly dangerous in situations where somebody decides to take the time to exploit it. Essentially, the plain text of secure connections may be visible to attackers.
It is believed that as SSL 3.0 is now almost 20 years old, this issue may not be fully fixed. Instead, users may be encouraged to use Transport Layer Security (known as TLS) as an alternative.
How can this be rectified?
It is advisable to disable SSL version 3.0 completely on all servers. This is done on the server, not via Magento. TLS can also be used however this may be difficult to implement as a solution. This also unfortunately does not guarantee long term security.
Paypal have also recently announced that they are behind efforts to remove SSL 3.0 encryption from all of their merchants’ sites. This may force site owners into speaking with their hosting provider, as Paypal are discontinuing support for SSL 3.0 on 3rd December 2014.
For those on Magento, the solution should not prove to be an issue. Simply connect Paypal’s API via TLS, using CURL. Your web host should be able to disable SSL 3.0, and if look after your own server, you will need to disable SSL 3.0 manually. Don’t worry, this won’t affect customers’ access to your store.
We found this handy post, which explains, step by step, how you can save your site from POODLE, if you’re able to look after this issue by yourself.
If you have had problems with POODLE and SSL 3.0 on your Magento online store, why not get in touch with Fluid Digital? It is expected that around half of Magento sites may be affected. Online security is one of the most vital parts of your business, and should be explored carefully. If you’re in doubt, why not speak to our dedicated team of Magento certified developers?