Protecting your website against the POODLE vulnerability

Follow

All users and merchants are at risk of the POODLE vulnerability.

Integrating with Peach Payments using the Copy and Pay or the iFrame (WPF) methods does not preclude you from this vulnerability. The use of Copy and Pay or the iFrame does not automatically block SSLv3 from being used by the user’s browser.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet.

There are several protocol versions for TLS/SSL : SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. Internally, TLS 1.0/1.1/1.2 are SSL 3.1/3.2/3.3 respectively.

Majority of the browsers today support TLS 1.0 onwards. The only remaining browser that does not support TLSv1.0 is Internet Explorer 6.

Most of the new versions of the browsers will now stop supporting SSLv3 and Mozilla have already announced that Firefox 34 (Nov 25 release date) will no longer support SSLv3.

To protect against the POODLE bug, what you would need to do is to block / disable the SSL v3 protocol (at least for HTTPS) in your servers. If a user is using the SSLv3 protocol then Peach Payments systems will reject the connection.

Once you disable SSLv3 for the HTTPS service then the TLS 1.0 protocol or higher should automatically be selected by the user's browser.

Users still using Internet Explorer 6 will not be able to transact. In this case what you can do is to detect the protocol being used and the display a message to the user to upgrade their browser. 

Have more questions? Submit a request

Comments

Powered by Zendesk