Google researchers have found a severe flaw in an obsolete but
still used encryption software, which could be exploited to steal sensitive
data—and the fix could break the Web for users of older web browsers.
The flaw in SSL 3.0 is more than 15 years old but is still used
by modern web browsers and servers. SSL stands for “Secure Sockets Layer,”
which encrypts data between a client and server and secures most data sent over
the Internet.Web browsers are designed to use newer versions of SSL or TLS
(Transport Layer Security), but most browsers will accommodate SSL 3.0 if
that’s all that a server can do on the other end.
The POODLE attack can force a connection to “fallback” to SSL
3.0, where it is then possible to steal cookies, which are small data files
that enable persistent access to an online service. If stolen, a cookie could
allow an attacker access to someone’s Web-based email account, for example.
An attacker would
have to control the network a victim is connected to in order to conduct this
kind of man-in-the-middle attack. That might be possible in a public area, such
as over a Wi-Fi network in an airport.
The Kosmos response
But as always, we take every bug very
seriously and our engineering team was immediately on it and implemented the
following measures as of Oct-20th-2014:
·
We have removed SSL
3.0 on all of our servers.
·
If you are
connecting to a third party application (Authorize.net AIM, Pay Pay Pro, UPS,
Fedex, Avalara, etc) today these platforms and 1000’s more, are also discontinuing
support for SSL 3.0.
|
|
|
Magento & Poodle
For Magento, you will
also have to apply the appropriate patches.
Magento users, See Magento forum post
regarding the Poodle virus here: http://magento.stackexchange.com/questions/40282/how-to-manage-the-ssl3-poodle-vulnerability |
|