POODLE is the term used to describe the security vulnerability in the SSL Version 3 cryptogram (i.e. SSLv3) used by older Internet browsers. It was identified the week of October 13, and many Internet service providers are working on deprecating or disabling SSLv3 in their systems to prevent any exploits of the vulnerability.
SSLv3 is a cryptographic protocol utilized to securely submit data over the HTTPS protocol. Most modern browsers and solutions have deprecated SSLv3 in favor of its successor, TLS. SSLv3 has been around since 1996, and TLS has been around since 1999.
These protocols are utilized by web browsers when visiting HTTPS sites,
as well as by software solutions like shopping carts to post
transactions via APIs.
Any merchant using Internet Explorer 6 (IE6) to access secure Authorize.Net pages or any merchant whose site or solution uses SSLv3 to post transactions to Authorize.Net.
Please note, because Authorize.Net does not control how your particular site or solution sends transactions to us, we are not able to advise whether or not POODLE affects your systems
On November 4, 2014, Authorize.Net will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions. You will also no longer be able to access any secure Authorize.Net pages from IE6.
- Browser Note: Most modern browsers support TLS and are not at risk. The only common browser that does not support TLS and is at risk of not working is Internet Explorer 6.
- Software and API Note: Older solutions that use older code or software frameworks (eg. JAVA 1.3, or ASP Classic) that do not support TLS or that have disabled TLS, forcing a downgrade to SSLv3, will be affected. These solutions will need to upgrade their code base and support TLS in order to continue working with Authorize.Net APIs in the future.
Please immediately contact your web or solution developer to determine if you are using SSLv3 to submit transactions. Again, Authorize.Net does not control how your particular site or solution sends transactions to us and cannot determine if you are using SSLv3 and will be affected by the change on November 4th.
If you are not using SSLv3, then you will not be affected by the change on November 4th.
If you are using SSLv3, please make sure to direct your web or solution developer to this post on what to update.
If you are using a version of Internet Explorer older than 7.0, please visit http://www.microsoft.com/en-us/download/internet-explorer.aspx to upgrade.
Firefox, Safari and Chrome users should not be affected.
You can instruct any concerned customers to visit https://zmap.io/sslv3/ to confirm if their browser supports SSLv3. It includes instructions on how to disable SSLv3 for all modern browsers.
If your solution tries to securely connect with SSLv3 first, even if you also have support for TLS, your connections may be refused.
Please visit http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Important-POODLE-Information-for-Authorize-Net-Accounts/ba-p/48163 for information on how to test and validate your solution.
Your account will remain open, and you can still log into the Merchant Interface to enter transactions. However, if your solution uses SSLv3 to connect to us, its connections will be refused.
Your domain’s security certificate should work with both TLS and SSLv3 by default. You should not need to replace the certificate.
We ended support for SSLv2 in March 2009, and the PCI Data Security Council considers SSLv2 a violation of the Data Security Standard (PCI DSS). For the sake of your customers’ security we urge them to upgrade to any modern browser.