|
David
|
October 28, 2014 at 10:37 am
From Authorize.net:
As you may be aware, an Internet-wide security issue, commonly referred to as POODLE, has been identified in the last two weeks and affects anyone using older Web browsers that use SSL version 3 (SSLv3), specifically Internet Explorer (IE) 6. This issue creates a vulnerability that could allow hackers to gain access to any connection using this outdated Web browser.
Authorize.Net itself is not vulnerable to POODLE, but we are making changes to our systems to assure that we are providing our merchants and their customers with the highest degree of security possible.
To that end, on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions. You will also no longer be able to access any secure Authorize.Net pages from IE6.
I just wanted to confirm that neither EventsEspresso or our payment portal (Mijireh) will be affected by these changes.
|
|
Lorenzo Orlando Caum
|
October 28, 2014 at 10:50 am
Hi David,
That is a great question. We’ve also received the notification and it applies to Internet Explorer 6.
Event Espresso does not support that version of Internet Explorer.
—
Lorenzo
|
|
Sidney Harrell
|
October 28, 2014 at 11:01 am
EE isn’t involved in the direct connection lock between the user’s browser and the payment provider’s servers when the user is redirected to the payment provider’s site (such as paypal or authnet). Where there is an https connection between the user’s browser and your server, such as to secure your payment form if it is displayed on your site, EE relies on WP and Apache to negotiate that connection, in this case to not use SSL v.3.0, but to use TLS 1.0 or 1.2. The same thing applies when EE goes to make a connection to authnet or another provider’s servers to complete a payment submitted on your site. EE requests a secure curl connection from php, so it’s up to the php curl module to talk with your server’s OS to determine exactly which protocol to use.
In other words, that all takes place at a lower abstraction layer than what EE’s code is operating at, so it’s not something for you to worry about with respect to EE. If you are still concerned about it, you would want to investigate it on the server admin level.
|
|
David
|
October 28, 2014 at 11:30 am
Thank you for the detailed explanation. We are using Mijireh and on NGINX so I can’t imagine it will be a problem but just wanted some more information.
Thanks again!
|
