Earlier this month, Google announced the discovery of a potential vulnerability in the SSLv3 protocol that is used in many web servers for secure page delivery. This was hot on the heels of the latest vulnerabilities to be announced, Heartbleed and Shell Shock, both of which were actually major security holes.
Why isn’t POODLE the same level of severity as Heartbleed and Shell Shock?
With the previous security issues, both Heartbleed and Shell Shock could be exploited remotely without the need to either have direct access to the server, or be able to intercept the traffic flowing from the browser to the server. Because of this, anyone could take advantage of these security holes without any special access or privilege.
With the latest POODLE vulnerability, it requires that the attacker be a “man in the middle” for the flaw to be exposed. What does this mean?
It means the hacker must be able to intercept your traffic, and then change it in such a way as having a chance at decrypting your secure connection. The attacker must either already have hacked your network, or via WiFi tricked you into connecting to his or her network instead of the one you intended.
Even after all of that, they still need to inject code into your browser, and then repeat the process over and over trying to extract information piece by piece.
The Bottom Line: It is *VERY UNLIKELY* that you or your website will be hacked via POODLE. But since there is a chance, the threat has to be addressed.
What we did
Shortly after the vulnerability was announced, we disabled SSLv3 as an available protocol for secure connections to our servers. This change has hardly any impact, except for the very few people who are still using Internet Explorer 6 on Windows XP. This eliminated the vulnerability on our network.
A patch was also released that mitigates the POODLE vulnerability even if you have SSLv3 enabled. We also applied this patch as soon as it was released. It is still recommended to have SSLv3 disabled, but provides some flexibility for rare cases where SSLv3 is needed.
Note that most major websites like Facebook, Twitter, PayPal, etc… have also disabled SSLv3.
Does this affect ShopSite or Magento ecommerce stores?
If you are using ShopSite or Magento as your ecommerce platform, the disabling of SSLv3 by us or your payment gateway will not affect your payment transactions. Everything will continue to work as it did before.
However, if you are using older third party software (such as an old version of ShipWorks or ShopSite’s Order Transfer Module), this software may still rely on SSLv3. If it does, you may not be able to download orders into these applications until you upgrade to a newer version that does not need SSLv3.
If you are unable to upgrade the software, let us know. If you have your own SSL certificate, we can enable SSLv3 (with the patch that mitigates this vulnerability) to allow you to continue using the software until you can get it upgraded.
POODLE is an actual vulnerability, but it is not as bad as previous security issues. It is very unlikely it can be used to hack into your browser or site, but the remote possibility makes it something that has to be dealt with nonetheless.