POODLE SSLv3 Vulnerability – A Recap

poodleEarlier this month, Google announced the discovery of a potential vulnerability in the SSLv3 protocol that is used in many web servers for secure page delivery. This was hot on the heels of the latest vulnerabilities to be announced, Heartbleed and Shell Shock, both of which were actually major security holes.

Why isn’t POODLE the same level of severity as Heartbleed and Shell Shock?

With the previous security issues, both Heartbleed and Shell Shock could be exploited remotely without the need to either have direct access to the server, or be able to intercept the traffic flowing from the browser to the server. Because of this, anyone could take advantage of these security holes without any special access or privilege.

With the latest POODLE vulnerability, it requires that the attacker be a “man in the middle” for the flaw to be exposed. What does this mean?

It means the hacker must be able to intercept your traffic, and then change it in such a way as having a chance at decrypting your secure connection. The attacker must either already have hacked your network, or via WiFi tricked you into connecting to his or her network instead of the one you intended.

Even after all of that, they still need to inject code into your browser, and then repeat the process over and over trying to extract information piece by piece.

The Bottom Line: It is *VERY UNLIKELY* that you or your website will be hacked via POODLE. But since there is a chance, the threat has to be addressed.

What we did

Shortly after the vulnerability was announced, we disabled SSLv3 as an available protocol for secure connections to our servers. This change has hardly any impact, except for the very few people who are still using Internet Explorer 6 on Windows XP. This eliminated the vulnerability on our network.

A patch was also released that mitigates the POODLE vulnerability even if you have SSLv3 enabled. We also applied this patch as soon as it was released. It is still recommended to have SSLv3 disabled, but provides some flexibility for rare cases where SSLv3 is needed.

Note that most major websites like Facebook, Twitter, PayPal, etc… have also disabled SSLv3.

Does this affect ShopSite or Magento ecommerce stores?

If you are using ShopSite or Magento as your ecommerce platform, the disabling of SSLv3 by us or your payment gateway will not affect your payment transactions. Everything will continue to work as it did before.

However, if you are using older third party software (such as an old version of ShipWorks or ShopSite’s Order Transfer Module), this software may still rely on SSLv3. If it does, you may not be able to download orders into these applications until you upgrade to a newer version that does not need SSLv3.

If you are unable to upgrade the software, let us know. If you have your own SSL certificate, we can enable SSLv3 (with the patch that mitigates this vulnerability) to allow you to continue using the software until you can get it upgraded.

POODLE is an actual vulnerability, but it is not as bad as previous security issues. It is very unlikely it can be used to hack into your browser or site, but the remote possibility makes it something that has to be dealt with nonetheless.

ShopSite Tip – Merchant Alerts and Shipping Errors

A while back, we wrote about Payment Processor Errors and how they can be easily reviewed with the addition of the Merchant Alerts feature in ShopSite Pro v11 SP2.  Today we’re going to review another common alert tracked in Merchant Alerts – Shipping Errors.

Where Is It?

Merchant Alerts is in ShopSite Pro starting with v11 SP2 and it’s available on the Commerce Setup screen.  You can configure what alerts to track, whether to email you when an error occurs, and you can view prior error details.

Email Alerts

While sometimes they can be a little overwhelming on larger stores, the email alerts that ShopSite will send are pretty concise and let you know right away if a customer had a problem.

When you receive an alert email from your store, it will usually have a subject line looking something like this:

ShopSite Alert: Failure in FedEx for *store-id*, Tracking ID: d61fee80-548d-11e4

The “Failure in” part will tell you which module had an error, the “*store-id*” will be your store ID (helpful if you have more than one store) and the “Tracking ID” will be the ID for the issue.

The email will contain details for what the error was, as well as a link to view the details.

Sample Errors

There are a whole variety of errors that ShopSite will track and here are a few samples from alert emails that we have seen customers report recently:

Module: FedEx
Error code:
There are no valid services available.

Common Cause – Invalid zip code or one not serviceable by FedEx, such as an APO address.

Module: UPS
Error code:
The Ship To postal code is invalid for the selected location. (Error code: 113021)

Common Cause – Invalid zip code or one not serviceable by UPS, such as an APO address.

Module: USPS
Error code:
The Destination ZIP Code you have entered is invalid.

Common Cause – (You can see the trend here!) Invalid zip code entered by the customer

When In Doubt – Click The Link

At the bottom of all merchant alert emails will be a link to the details for that alert in your ShopSite backoffice.  So if the alert email doesn’t have enough information or if you are curious for more details go ahead and click the link to login to your backoffice and view that specific error.  The link will look like this:

To view this error, go to the ShopSite back-office for the store at:
https://www.your-domain.com/cgi-yoursite/bo/notifications.cgi?related=d61fee80

Viewing the details will allow you to see what Country & Zip Code were selected, and even what was in their shopping cart.  You may even see a message saying the customer was able to complete their order.  That looks like this:

The order for this error ended successfully as Order#1455.

If you see that then you know the customer resolved their issue and placed their order correctly.

Replicate & Research

If you don’t see anything obvious for the cause of the error, like a 6 digit zip code, then you can use the details from the merchant alert to try and replicate the error.  To do that just place a test order for the same products it shows the customer had in their cart, and use the same country and zip code.  That will allow you to see if there is an issue or if it was just a temporary issue with that specific shipping service.

TIP: When researching the issue, be sure that the products the customer ordered all have weights assigned to them.  If they do not then a real-time API rate cannot be calculated.

To check zip codes, the USPS has a lookup tool here:

https://tools.usps.com/go/ZipLookupAction!input.action

Click “Cities By Zip Code” on that page to enter a zip and view its cities.  If it’s invalid that will explain the issue, or if it shows something like “APO AE” then you know it’s a military location and only USPS can deliver there.

If you suspect there was an outage with a shipping API, we have a monitor site here that tracks API outages:

http://www.shippingapimonitor.com

As you will see most shipping alerts come down to user error, usually by accidentally typing an invalid zip code or having the wrong country selected, but it only takes a few minutes to go into the backoffice and review the details to see what happened.

Further Reading

Shipping API Monitor – What Does 1 Year Tell Us?
http://www.lexiconn.com/blog/2014/07/shipping-api-monitor-what-does-1-year-tell-us/

ShopSite Tip – Payment Processor Errors
http://www.lexiconn.com/blog/2012/06/shopsite-tip-payment-processor-errors/

Ecommerce Tip: Social Logins For A Better Customer Experience

According to a recent survey by Janrain, a majority of customers (perhaps as many as 50-80%) prefer to use an existing social media account for log-in/registration on e-commerce sites.  The most popular of which has been Facebook Connect which accounts for 55% of all social logins.

facebook_login

Providing social login options to customers simplifies the registration process.   Ease of registration/sign-in should lead to greater customer engagement.  It’s also one less set of credentials for the customer and merchant to manage.

ShopSite Integration

Merchants running ShopSite Pro (v11 or higher) can seamlessly integrate with Facebook Connect, allowing new and returning customers the ability to  register/sign-in using their existing Facebook account.  Enabling this feature greatly simplifies the registration process and makes signing in a breeze.

When a customer elects to Register via Facebook, all “shareable” data is passed to the ShopSite Customer Registration module and saved in the same way as a traditional registration.

1.  Log into Facebook (https://developers.facebook.com/apps) and follow the instructions provided by ShopSite to create a new Facebook App:

v11: http://www.shopsite.com/help/11.2/en-US/sc/pro/facebook.connect.html
v12: http://www.shopsite.com/help/12.0/en-US/sc/pro/facebook.connect.html

Hint: In order to follow the above instructions, it is necessary to exit from the Facebook “Quick Start” mode (starts by default)

fb-connect-ss-1

(click to enlarge)

2.  Under Commerce > Customer Registration > Configure, paste the App ID, App Secret and Site URL (from above Facebook App settings)

Facebook Connect

(click to enlarge)

(click to enlarge)

3.  To verify Facebook login is now enabled and working, navigate to your ShopSite Registration or Sign-In page.   You should see the Facebook login button.

(click to enlarge)

(click to enlarge)

If your current Customer Registration template does not include support for Facebook Connect, the following additions will be necessary.  To identify the template currently in use by Customer Registration, go to Commerce > Customer Registration > Configure.  The field to look for is Registration Template.

Merchandising > Custom Templates > Advanced (Customer Registration)

1.  Add the following to the desired location within the [-- DEFINE New_Registration --] section of the template:

[-- IF CR_FACEBOOK_CONNECT --][-- CR_FACEBOOK_CONNECT --]<span id=”cr-or”>[-- Store.Email_SignUp_Or --]</span>[-- END_IF --]

2.  Add the following to the desired location within the [-- DEFINE Sign_In --] section of the template:

[-- IF CR_FACEBOOK_CONNECT --][-- CR_FACEBOOK_CONNECT --]<span id=”cr-or”>[-- Store.Email_SignUp_Or --]</span>[-- END_IF --]

3.  At the end of the customer registration template, add the following section:

### E-mail for Forgotten Password if Address is a Facebook Login Customer ###
[-- DEFINE Forgot_Password_Facebook_Email --]
DOCTYPE html PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd”>
<html>
<body>
<p>[-- STORE.RegisteredFacebookEmail --]</p>
<p>[-- CR_FORGOT_PASSWORD_LINK --]</p>
<p><b>[-- STORE.Name --]</b></p>
</body>
</html>
[-- END_DEFINE Forgot_Password_Facebook_Email --]

To match the layout/style of your current registration template, it may be necessary to add HTML/CSS.

Magento Integration

Merchants running Magento Community Edition can install one of several popular extensions available via Magento Connect.  Most will also include support for Twitter, Google+, Linked In and other social media platforms.

Below are a few of the more popular extensions compatible with the latest CE version (1.9):

Social Login by LitExtension
http://www.magentocommerce.com/magento-connect/social-login-by-litextension.html

The LitExtension includes a tutorial for setting up API credentials with some of the most popular social media sites.

GoMage Social Connector
http://www.magentocommerce.com/magento-connect/gomage-social-connector.html

AddShoppers: Social Marketing Apps for eCommerce
http://www.magentocommerce.com/magento-connect/addshoppers-social-marketing-apps-for-ecommerce.html

Note: An account on Magento Connect (free) is required in order to download/install extensions.

First-time Magento Connect users will want to read this short installation guide:

http://info.magento.com/rs/magentocommerce/images/InstallingMagentoConnectExtensions4%200.pdf

After installing an extension you may need to copy the files to your custom theme and skin folders.

Complexity of integration with Magento will vary by extension.  Some minor template modifications may be necessary to achieve the desired look and feel.

It’s Never Too Early To Start Preparing For The Holidays

September is here, fall is on its way, and it’s the time for pumpkin spice everything, but it’s also a great time to spend some time preparing your online store for the holiday season.

1. Mobile & Responsive Design

Online store purchases made with phones or tablets account for over 11% of sales on average, and it’s increasing every year.  If you are working on a new design for your site, or thinking about doing it soon, Responsive Design is the way to go.  If you’re not ready for a new design yet, ShopSite 11SP1 and newer has a mobile feature you can enable.  While not a responsive method, it still provides mobile friendly pages to your customers.

2. Speed: Google & Customers Like It

A fast loading website will not only improve your search engine ranking, but your customers will like it too.  Don’t let your competitors have more sales due to your site loading slowly.  For example, do you have a slide show with 20 images pre-loading?  Cut that down to 5 or work with your developer to have it load 1 first and the load the remaining images after the rest of the pages loads for the user.

3. Target Google Shopping Campaigns

Review your Google Shopping Campaign settings and target your most profitable and popular products.  You want to make sure you’re spending your advertising budget in the best possible way.

4. Your Checkout Page Is Secure, Right?

Place a test order and make sure your checkout and thank you pages display their SSL lock symbols correctly and there are no warnings about insecure items loading.  If there are, review the issue with your developer and they can check the code for insecure images or other items that may be breaking it.  We have a great tool to help find insecure items called Why No Padlock?

5. Sales & Coupons – What Options Are There?

When you set up your sales, coupons, or other discounts – be sure to test everything ahead of time.  Don’t send out a mailing to thousands of customers and find out from a customer that the coupon code doesn’t work!

Here’s a blog post we published last year with a variety of tips and options for promotions you can do in ShopSite:
http://www.lexiconn.com/blog/2013/09/tis-the-season-for-sales/

For Magento stores, this tutorial will show you how to configure coupons:
http://www.pixafy.com/blog/2013/08/how-to-create-coupon-codes-in-magento-beginners-tutorial-1/

6. Saving Shopping Carts Can Save A Sale

A customer may not finish their purchase on their first visit to your site, but if they return to complete it and find their cart empty they may not bother to find the products on the store and buy them again.  Don’t let that happen!

ShopSite defaults to saving the cart contents for 7 days so  when the customer returns the products will still be in their cart.  If you have ShopSite Pro you can adjust the value if you would like with the “Keep unfinished shopping carts” field on the Commerce Setup > Order System > Shopping Cart screen.  ShopSite Starter & Manager are hard-coded to 7 days.

For Magento, this feature is called the “Persistent Shopping Cart” and here are the steps to set it to 7 days (604800 seconds):

In the admin panel, go to:
System -> Customers -> Persistent Shopping Cart

Set the following parameters:
Enable Persistence: Yes
Persistence Lifetime (seconds): 604800
Enable “Remember Me”: No
“Remember Me” Default Value: Yes
Clear Persistence on Log Out: No
Persist Shopping Cart: Yes

7. Shipping API Backup Plans

While real-time shipping APIs allow you to provide multiple and accurate shipping rates to your customers, once in a while a carrier’s API servers go offline or have delays reporting rates.  We have a website at www.shippingapimonitor.com which you can use anytime to check to see if an API is online and returning rates.  If your store is reporting shipping errors you can go there to see if it’s an outage.

If the API you use is offline or having connections problems, and you don’t run any others, you could put an extra shipping option in place temporarily so your customers can still place orders.  Maybe you setup a flat rate Ground Shipping options, or enable another carrier, but it can be very helpful to have a backup plan available in case your carrier’s API is ever offline.

More Suggestions…

Would you like some more ideas and tips for holiday preparation?  Check out the links below for more suggestions:

http://www.lexiconn.com/blog/2012/11/procrastinators-guide-for-holidays/

http://www.lexiconn.com/blog/2010/11/holiday-shopping-checklist/

 

Extending Magento

While Magento CE has a robust built-in feature set, there are times when desired functionality is seemingly non-existent (e.g Full page cache, Google Shopping feeds, Affiliates program, etc…).  In this post, we’ll review some “best practices” for addressing functionality gaps in Magento.

 

Requirements

magento-logoTo get started, we highly recommend outlining known requirements, expectations and assumptions.  This critical first step can mean the difference between success and failure.

Sharing a consistent set of well written requirements with each technical contact you consult (e.g. community boards, developers, web hosts, vendors, etc…), helps ensure recommendations are accurate and their experience and expertise fully leveraged.  Spending quality time on requirements saves time and money, while also reducing frustration (for everyone, including the merchant).  Bottom line – Don’t skip this step :)

 

Perception vs. Reality

The Magento backend is highly configurable and at times quite complex.  Prior to extending core functionality, it’s important to dedicate some time to ruling out the possibility a desired change could be met using existing functionality.  Leveraging a core feature avoids not only the upfront costs associated with extensions and custom development, but also the on-going maintenance third-party code brings to the table (especially during upgrades).

Some built-in features, such as pricing & cart rules, are quite flexible and can be extended beyond their advertised usage.  A little “outside the box” thinking goes along way when evaluating requirements against existing features.

A thorough overview of Magento features and how they are configured can be found at:

http://www.magentocommerce.com/resources/magento-user-guide

Also, specific topics can be researched on the community message boards at: (read-only as of 2014):

http://www.magentocommerce.com/boards

 

Magento Connect

If existing functionality will not satisfy requirements, the next step would be to search for an extension on Magento Connect.

http://www.magentocommerce.com/magento-connect/

magento-connect

An account on Magento Connect (free) is required in order to download/install extensions.

First-time users will want to read this short installation guide:

http://info.magento.com/rs/magentocommerce/images/InstallingMagentoConnectExtensions4%200.pdf

Some things to consider when deciding on an extension (assuming you have multiple options):

  • Does the extension fully meet your requirements?  Documentation can be sparse, so it may be necessary to temporarily install the extension to fully evaluate it (preferably in a test environment).
  • Is the extension actively supported (free or paid support)?  If an extension has been abandoned (i.e. not compatible with the latest stable core release), there is usually good reason – either it didn’t meet expectations or the functionality was incorporated into the core product.
  • Cost (many are free)

 

Customization

magento-codeWhen required functionality isn’t available in the core product or via a community extension, the next option is to hire a developer who can build a custom solution.

Here are some things to consider when going the customization route:

  • Magento uses a configuration based MVC architecture.  If that doesn’t mean anything to you, it may be best to consult with a Magento developer, preferably one that is Magento Certified.
  • Customizations should be built as extensions of core functionality.
  • Modifying core files is bad and should be avoided at all costs.  “Hacking” core files can result in unintended consequences for dependent features (often outside your scope of testing).  If you must edit a core file, be sure to keep a detailed record of your changes.  It’s likely you will need to manually apply them after an upgrade.