Paypal, Poodle and SSLv3 for Magento hosting customers

The latest in the recent spate of “security scares” (Heartbleed, Shellshock, et. al.) is upon us, The SSL3 Poodle!

The non-tech summary is “SSL3 is an older, weaker method of encryption, and is vulnerable. Most modern secure connections should use a newer method called TLS”.

paypal_2014_logo_detailSo in this post, Poodle SSL 3.0 Vulnerabilityby Joe Nash for the PayPal & Braintree Developer Blog, we see that Paypal are driving the efforts to flush SSL3 encryption out of all of their merchants’ sites, which we think it a good thing as it will force operators/owners to ask the question of their hosting provider / ecommerce software provider / developer.

Here’s a good place to ask the question http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm – just plug the domain into this tool and it confirm your usage. If the TLSv1 test shows “Disabled” you’ll have a problem with Paypal very soon! If the SSLv3 Option is enabled (instead of or as well as TLS) then it could really do with disabling, to mitigate the Poodle problem.

Layer 5 Hosting Status

All of our Linux and FreeBSD estate servers already use TLS as their primary encryption protocols, so those people who have their Magento installations, servers and SSL certs through Layer 5, need not worry about the Paypal statement and everything will continue to work on December 3rd.

We also have a rolling programme of patching and updates to the whole of our estate, and in 99 times out a 100 these are non-disruptive. On any servers that are still using SSL3 as a fallback encryption method, we will be ensuring that’s phased out and this is most likely going to be a non-disruptive change.

So Layer 5 Customers, as ever, just go about your business!

And one last thing…

It’s always a good time to ensure your backup regime is in good order, but especially so if you’re about to embark on a set of patches / updates to anything that might affect your ability to do business (not sure if you saw our Death of a Server post?). So ask away, and make sure you know what your “Return to Live” time-scale is, it’s a sign that your backup regime has been tested and proven, and is more than just a theory!