Authorize.net turning off SSLv3

[keith_rettig]

In an effort to combat POODLE and other issues with security out there, authorize.net is canceling support for SSLv3.

I was wondering if 360works plugins such as Plastic are using SSLv3 when they make connections to the gateways?  If so, how or when can we set the plug-ins to use TLS only?

 

Thanks.

 

Here is the email I just received for edification purposes;

Dear Authorize.Net Merchant:

 

As you may be aware, an Internet-wide security issue, commonly referred to as POODLE, has been identified in the last two weeks and affects anyone using older Web browsers that use SSL version 3 (SSLv3), specifically Internet Explorer (IE) 6. This issue creates a vulnerability that could allow hackers to gain access to any connection using this outdated Web browser.

Authorize.Net itself is not vulnerable to POODLE, but we are making changes to our systems to assure that we are providing our merchants and their customers with the highest degree of security possible.

To that end, on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions. You will also no longer be able to access any secureAuthorize.Net pages from IE6.

We expect that a minimal number of our merchants will be affected. However, because we do not control how your particular site or solution sends transactions to us, this change could potentially impact your transaction processing. Please immediately contact your web developer or shopping cart solution to see if you will need to make any changes to your site or solution before November 4th.

Most modern shopping carts do not use this old technology in their solutions--in general, POODLE will only affect solutions that are older and use SSLv3. But again, because we do not control which method your systems use for transaction processing, we are not able to advise whether or not this change will affect you site or solution. We strongly urge you to contact your web developer or payment solution provider to find out for sure.

We apologize for the short notice, but security is of the utmost concern. Authorize.Net and most other payment and technology companies are disabling SSLv3 as soon as possible to help make sure that hackers aren't able to exploit this vulnerability.

 

[sterlpearl]

Our plugins already use TLSv1 to communicate with SSL servers by default, so this is a non-issue for us.

 

Sterling Rouse

Developer

360Works

[keith_rettig]

That's great.
Do you know when you guys will be implementing TLSv1.2?
I am sure the security media is overblowing the weakness of the RC4 ciphers in TLSv1.0, TLSv1.1, but regardless stronger security is almost always better.