WEDNESDAY, 25 MAY 2016
CRITICAL - ACTION REQUIRED - Please cascade to operational areas, IT or Web Development team as appropriate
Payment Express wishes to advise clients and partners, as a preventative measure the Secure Sockets Layer (SSL) protocol will be disabled on all front-end web servers. The way SSL ciphers encrypt traffic could potentially allow attackers to decrypt information.
This change is in response to the "Poodle" ("Padding Oracle") cyber-attack recently uncovered. The attack exploits SSL which could allow for encrypted data to be revealed.
Google’s security team discovered a vulnerability in SSL version 3.0 http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html in October 2014. Historically SSL was supplanted by TLS and the current version is 1.2, but older systems fall back to using SSL 3.0 for compatibility. This is a design flaw in SSL/TLS and there is no patch to fix the bug. Instead, most organisations are disabling support for SSL 3.0, a protocol which is old and deprecated. Many of our business partners may still be using systems that rely on SSL 3.0, we request that these systems be configured/upgraded to support TLS.