Security Advisory – Poodle bug lockdown affecting ZenCart payments

Information on the POODLE Security Bug & Advice for ZenCart website owners
Expert engineers working for Google Security this week discovered a security bug in the SSL 3.0 technology used to encrypt Internet data and ecommerce transactions. The bug is known as POODLE (Padding Oracle On Downgraded Legacy Encryption). The SSL 3.0 technology is 18 years old and it was superseded by TLS 1.0 in 1999, TLS 1.1 in 2006 and TLS 1.2 in 2008, however SSL 3.0 is still widely used by many e-commerce website applications.

To maintain the highest levels of security with financial transactions, PayPal will imminently block financial transactions using SSL 3.0. On Wednesday, this caused some PayPal transactions submitted through ZenCart (leading ecommerce software) to give an error message, and PayPal have now released a blog post stating they will block all SSL 3.0 encryption as soon as they reasonably can.  Therefore it is important that ZenCart website owners update the ZenCart software code to use TLS encryption.

It is very likely that other online payment processors, merchants and website software developers will release updates in the coming days. At this particular time, the main advice available is for ZenCart website owners, but we will provide other updates on our social media pages (Facebook and Twitter) as appropriate.

ZenCart have released information on the changes required to their software so that it continues to function with PayPal and Authorize.net payment gateways. The information is available at http://www.zen-cart.com/showthread.php?214916-Important-announcement-about-POODLE-and-payment-security

We highly recommend all of our clients using ZenCart make the required changes at the earliest opportunity. You should follow the online guide or please open a ticket to arrange a project time with our technicians. Our e-commerce client websites are very important and therefore our technicians have taken steps where possible to prevent interruption on websites using SSL 3.0 hosted with JSWeb. However we recommend all website owners schedule a job with our web developers to check each individual ZenCart website is fully patched. Due to the importance of this ZenCart update, we will only bill for 30 minutes of our time.

For more general information on the POODLE bug (not specific to ZenCart website owners) please read  http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

Please do not hesitate to contact us if you have any questions or concerns.