You may have seen in the news an announcement regarding a security vulnerability known as Poodle. As your payment gateway provider we want to make sure you are aware of the vulnerability, how it impacts you, and steps that PaymentVision has taken to mitigate the risk.
What is Poodle?
Poodle is a type of man-in-the-middle attack that may be used to exploit a vulnerability in Secure Socket Layer Version version 3 (SSLv3) by forcing some implementations of Transport Layer Security (TLS) into a downgrade in encryption level.
The attack was discovered last month by the Google Security Team and made public two weeks ago. The vulnerability has the potential to expose sensitive data such as passwords, tokens and credit card account numbers if exploited.
For more information on this vulnerability, visit: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
What is SSL?
Secure Socket Layer (SSL) is an encryption protocol that is used to secure communications over the internet. It is considered outdated but most browsers still support it in order to offer compatibility with legacy servers.
What is TLS?
Transport Layer Security (TLS) is the successor to Secure Socket Layer (SSL). While most internet traffic is secured using TLS, many implementations of the protocol will downgrade the encryption level on the client-side in order to overcome interoperability issues with legacy servers that may still rely on SSL. So while TLS is considered to be a secure protocol, many implementations of TLS are not. This has been demonstrated by the Google Security Team with their discovery of the Poodle attack.
How does this impact me?
Most browsers still support SSL, so even if TLS is implemented in your environment it may be forced into downgrading the encryption level to SSL depending on how it was implemented. Again, this has been demonstrated by the Google Security Team with their discovery of the Poodle attack.
What steps can I take to mitigate the risk?
1. Test for Poodle Vulnerability. The following site will check to see if your browser is vulnerable to a Poodle attack – https://www.poodletest.com/. If you see a poodle, then you are at risk.
2. Disable SSLv3 on all browsers and servers. You can do this by changing the security settings. We have included instructions below (see How to disable SSLv3). In the event that disabling SSLv3 is not feasible, step 3 provides an alternative approach to mitigating the risk.
3. Prevent SSLv3 downgrades from attackers. In the event that disabling SSLv3 on all browsers and servers is not feasible, Google recommends TSL_FALLBACK_SCSV support as an option to prevent SSLv3 downgrades from attackers.
How to disable SSLv3?
|Windows||Microsoft Security Advisory 3009008|
|Other||Check with your OS vendor|
What steps is PaymentVision taking to mitigate this risk?
When the vulnerability was made public, our security team was immediately engaged to evaluate the potential threat. In response to the potential threat and in an effort to stay ahead of the threat curve, PaymentVision will be undergoing two maintenance events as outlined within the Maintenance Schedule below. All PaymentVision Services are in scope of this maintenance.
|Disable support SSLv3||Date: Wednesday, 11/12
Time: 10:00pm – 11:00pm EST
|Add support for TLSv1.1 and 1.2||PaymentVision will be sending out a separate notice for this maintenance event once it has been scheduled.|
following the first maintenance event, users will be unable to access PaymentVision services through any browser that does not support TLS v1.0 encryption (e.g., IE 6). This includes anyone using an outdated operating system such as Windows XP. We believe that this is the appropriate response to the vulnerability and realize that this may create compatibility issues for some users.
in order to help you prepare for the first maintenance event, we have disabled SSLv3 in our test environment. You should ensure that you are able to navigate to the Compatibility Testing URL without errors prior to November 12th. You will know that you have successfully navigated to the URL when you have come to a login screen. There is no need to login; just make sure you are able to reach this screen.
Compatibility Testing URL: https://demo.paymentvision.com
If you have any questions, please Contact Support.
We thank you for your continued trust.