Kryptronic Info Center

The Info Center has articles on everything you need to get your site up and running with Kryptronic software. Hundreds of articles are available which contain tips, tricks, software updates and release notes, and everything you ever wanted to know about eCommerce, but were afraid to ask...

Kryptronic

POODLE SSLv3 Exploit: Official Statement

Recently an exploit was discovered which targets a vulnerability in SSLv3, an SSL protocol used by older browsers, and servers which have not been recently updated. This exploit is known as ‘POODLE’ and affects traffic over SSLv3 connections which do not use TLS handshakes. The purpose of this message is to provide an official statement regarding this exploit, and how it affects Kryptronic Managed Hosting and Kryptronic Software.

The main concern for ecommerce store owners is whether or not their stores will be able to continue to communicate with vendors like Authorize.net and PayPal, who will be turning off the ability to connect to their services via SSLv3 without using a TLS handshake. For those merchants, if their software and server cannot communicate with those services, orders will be lost.

Kryptronic Managed Hosting

Lightcrest Data Center (Los Angeles, CA): SSLv3 using TLS available, tested connections to Authorize.net and PayPal. No connection interruptions expected.

Rackspace Data Center (Fort Worth, TX): SSLv3 using TLS available, tested connections to Authorize.net and PayPal. No connection interruptions expected.

Kryptronic Software

Kryptronic software packages, including all versions of ClickCartPro and EuropaCart are unaffected by the POODLE SSLv3 exploit. The exploit compromises the server at a much lower level. Our software uses PHP with cURL to make remote connections to other servers, but does not specify the SSL version to use outright (typically done by setting CURLOPT_SSLVERSION), so the server default is used. Basically, if you’re using Kryptronic software on a server which supports SSLv3 using TLS connections, you’re good to go.

Users with Kryptronic Software who are hosted on servers which are not capable of creating proper SSLv3 using TLS connections should contact their host immediately to upgrade the openssl libraries on the server. To check to see whether or not your server can make a proper connection, execute the following from your shell:

curl -iv https://paypal.com

If you get an error, you need to get your host to upgrade the openssl libraries on the server. Until that upgrade happens, your online store software will not be able to communicate with services like PayPal and Authorize.net which have disabled non-TLS SSLv3 connections.

Apache Webserver Configuration

Apache webserver configuration is another issue. You have to decide whether or not you’d like to accept SSLv3 connections on your site at this time. Kryptronic Managed Hosting servers are scheduled to be migrated to a TLS-only environment in the near future. This will only affect customers visiting SSL pages using older MSIE6 and lower browsers, and Windows XP users with older Microsoft browsers.

We’re Committed to Security

Stability and security have been the cornerstones of our software’s architecture since introduction in 1999. We pride ourselves on offering the most secure ecommerce software applications, and hosting environment, available. If you were not hosting with us, and have had a problem due to this POODLE SSLv3 exploit, or any other type of problem, we can help. Just give us a call.

Call 1-800-704-4160 (US Toll Free) or 717-747-1996 (International) if you have questions and we’ll do our best to help.

Kryptronic: Security. Stability. Reliability