I would like to know if this “POODLE” affects cs-cart shopping cart.
Does it use SSLv3 to send transactions to Authorize.Net?
Information from Authorize.Net[font=Helvetica,Arial,Sans-Serif,Verdana][size=4]
As you may be aware, an Internet-wide security issue, commonly referred to as POODLE, has been identified in the last two weeks and affects anyone using older Web browsers that use SSL version 3 (SSLv3), specifically Internet Explorer (IE) 6. This issue creates a vulnerability that could allow hackers to gain access to any connection using this outdated Web browser.[/size][/font][font=Helvetica,Arial,Sans-Serif,Verdana][size=4]
Authorize.Net itself is not vulnerable to POODLE, but we are making changes to our systems to assure that we are providing our merchants and their customers with the highest degree of security possible.[/size][/font][font=Helvetica,Arial,Sans-Serif,Verdana][size=4]
To that end, on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions. You will also no longer be able to access any secure Authorize.Net pages from IE6.[/size][/font][font=Helvetica,Arial,Sans-Serif,Verdana][size=4]
We expect that a minimal number of our merchants will be affected. However, because we do not control how your particular site or solution sends transactions to us, this change could potentially impact your transaction processing. Please immediately contact your web developer or shopping cart solution to see if you will need to make any changes to your site or solution before November 4th.[/size][/font][font=Helvetica,Arial,Sans-Serif,Verdana][size=4]
Most modern shopping carts do not use this old technology in their solutions–in general, POODLE will only affect solutions that are older and use SSLv3. But again, because we do not control which method your systems use for transaction processing, we are not able to advise whether or not this change will affect you site or solution. We strongly urge you to contact your web developer or payment solution provider to find out for sure.[/size][/font][font=Helvetica,Arial,Sans-Serif,Verdana][size=4]
We apologize for the short notice, but security is of the utmost concern. Authorize.Net and most other payment and technology companies are disabling SSLv3 as soon as possible to help make sure that hackers aren’t able to exploit this vulnerability.[/size][/font]
Same question, and if so, what versions of cs-cart are impacted. I have carts from version 1.3.5 SP4 all the way to version 4.x running.
I hope CS-Cart addresses this ASAP. I would like to know if any versions of CS-Cart use SSLv3 and what we can do to keep those shops open.
SSL is a property of your web-server and has nothing to do with the cart. Your web-server looks at the protocol specification of a request (http, https, ftp, sftp, etc.) and then uses the underlying encryption method configured on your server to either encode or decode the request. For inbound, this is done well before PHP even sees it. For outbound the protocol is specified in the URL.
If every application carried a version of SSL, you'd have a real mess.
[quote name='tbirnseth' timestamp='1414613488' post='195652']
SSL is a property of your web-server and has nothing to do with the cart. Your web-server looks at the protocol specification of a request (http, https, ftp, sftp, etc.) and then uses the underlying encryption method configured on your server to either encode or decode the request. For inbound, this is done well before PHP even sees it. For outbound the protocol is specified in the URL.
If every application carried a version of SSL, you'd have a real mess.
[/quote]
Wonder why Authorize.net said this, “[font=Helvetica,Arial,Sans-Serif,Verdana][size=4]Please immediately contact your web developer or shopping cart solution to see if you will need to make any changes to your site or solution before November 4th.[/size][/font]”
Seems like it must have something to do with the shopping cart.
“Shopping cart solution” as in “hosted shopping cart.” If you were using BigCommerce or Shopify, etc., you'd contact your shopping cart solution because they are the ones who are running your store, including your SSL.
In our case, we probably need to contact our hosting providers.
So it will be up to the hosting provider to make sure they're not running SSLv3? Thank you.
[quote name='Jmamelia' timestamp='1414626424' post='195662']
So it will be up to the hosting provider to make sure they're not running SSLv3? Thank you.
[/quote]
Depends who takes care of your SSL certificates…whether you buy and install your own, or if you are using a shared certificate.
You can test your site's vulnerability to POODLE here:
[quote name='Jmamelia' timestamp='1414626424' post='195662']
So it will be up to the hosting provider to make sure they're not running SSLv3? Thank you.
[/quote]
Not necessarily. Most hosts patched for this soon after it was made public. However, if you have a system that makes use of a SSLv3 declaration… that needs to be changed.
This is not a problem that we have found with the authorize.net module as far back as 2.0x sites on up. We manage a large number of stores … and have yet to find this in CS Cart. Zen Cart, OScommerce and Virtuemart - absolutely …
And to clarify - it needs to be changed at a programming level.
We're dbl-checking PayPal & Payflow Pro right now because their cut off is in a few days.