Ho ho ho! Santa’s brought a real sack of coal this year for some e-commerce merchants. A new way to exploit an SSL 3.0 vulnerability – the POODLE attack – has been found and PayPal is poised to pull SSL 3.0 support before Black Friday and Cyber Monday, the biggest shopping days of the year.
So what does it all mean? And how can you protect yourself or test your store for POODLE vulnerability right now?
We took an in-depth look at more than 1000 Magento e-commerce shops in our system. Of the sites that we found with SSL support, more than half had SSL 3.0 enabled. We were able to connect to them and enforce an SSL 3.0 connection, which means they’re vulnerable to POODLE. The remaining sites supporting SSL were verified to use the newer TLS protocol and have disabled SSL 3.0 support.
POODLE Vulnerability in MagentoWhat about the sites we saw with no SSL? Well…they may be safe from the POODLE attack, but basically had no encryption support at all. Yeah. Approximately 25% of the sites we surveyed are up and running with no network traffic encryption whatsoever. It is possible, though, that some of those sites have no need for network encryption (i.e. no login or credit card information is ever requested from visitors).
So what now? If you’re an e-commerce shop owner, the most important thing to do right now is to check that you’ve disabled SSL 3.0 support on your web server. Don’t worry…disabling SSL 3.0 does not make your store less accessible to customers as this particular protocol is rarely in use anymore. Since 2006, Web browsers have advanced to support the more common TLS protocols. In fact, the only folks who haven’t yet upgraded to TLS support are using IE 6 or earlier. Recent reports from Net Applications show IE 6 holding only a 1.68% browser market share.
And now that we know we need to disable SSL 3.0 support on the server, how do we do it? We’ve compiled instructions for two of the more common servers used to run Magento installations for your reference.
For httpd version 2.2.23 and newer, specify all protocols except SSLv2 and SSLv3:
SSLProtocol ALL -SSLv2 -SSLv3
For httpd version 2.2.22 and older, only specify TLSv1. This is treated as a wildcard for all TLS versions:
For Apache + mod_nss, edit /etc/httpd/conf.d/nss.conf to allow only TLS 1.0+. (Note that the location of nss.conf may vary depending on your Linux distribution):
Modify the ssl_protocols directive to use only TLSv1, TLSv1.1, and TLSv1.2. If you do not have an ssl_protocols directive, add it right above your ssl_certificate directive:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Is your e-commerce shop ready for Black Friday? Checking your inventory and making sure the checkout process is smooth (which we can also do for you) is important. But you should also use our quick POODLE tool to check that both your store and your customers’ information is safe and secure from this latest vulnerability.