POODLE vulnerability found recently in SSL 3.0 makes the most popularly used Security protocol obsolete and insecure. Google recently announced through webmasters portal, that websites using SSL will have 1% SEO benefit over the sites that are not using it. Recently discovered POODLE vulnerability poses big threat for Banking Websites, Shopping Sites and Government sites that uses SSL 3.0 for encryption and security. This 15 year old security protocol is still in use by many sites and supported by web browsers as well.
Apple said last month, that it will switch from SSL 3.0 to TLS by October 29th for its PUSH Notification service. Developers have been notified by Apple about the change and “Providers that support both TLS and SSL 3.0 will not be affected and require no changes.”
Paypal, the popular payment gateway solution provider updated a help guide to let web developers using Paypal API to switch from SSL 3.0 to TLS for better security. If you are using Paypal API in your client website or in your website, then you should really consider this guide to ensure the data sent and received between your website customer computer and paypal website is secure.
Table of Contents
What is SSL 3.0 POODLE Vulnerability?
POODLE attack allows an attacker to retrieve and modify SSL encrypted secure communication (man in the middle attack) such as passwords, cookies, authentication tokens and other transaction data. The attacker has to connect in the same network (wired or wireless) to perform this attack, and all latest browsers are vulnerable as well. Poodle vulnerability allows the attacker to take advantage of protocol negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt selected content within SSL session. The attacker establish large number of connection with the client and server as the decryption is done byte by byte.
Users can avoid using Public WiFi networks temporarily to prevent being monitored by attackers for any banking transactions or active sessions that involves SSL enabled websites. Web Developers, Banking Websites and Payment Gateways are working fast in moving to TLS for better security and prevent POODLE vulnerability. Security Researchers feel that SSL 3.0 has become obsolete and dead after the discovery of POODLE vulnerability.
Paypal and POODLE Vulnerability Fix
Here is a simple tutorial to help you with Paypal API and enable TLS protocol for PHP. If you are using PHP 5.0 and above and you have not hard coded SSL version (CURLOPT_SSLVERSION), then you do not have to change any code to override, as by default it switches to available highest version in the server. Paypal has advised developers to switch to TLS and it will start to Disallow SSL 3.0 requests from December 3, 2014.
If you have downloaded Paypal SDK Core Project from GitHub then access PPHttpConfig.php file to make necessary configuration changes under SSL section. There are three different options available for you to manually specify the SSL/TLS version in your PHP file. This will make sure your website visitors are safe from Hackers.
an Example,
/**
* Some default options for curl
* These are typically overridden by PPConnectionManager
*/
public static $DEFAULT_CURL_OPTS = array(
CURLOPT_SSLVERSION => 1,
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_TIMEOUT => 60, // maximum number of seconds to allow cURL functions to execute
CURLOPT_USERAGENT => ‘PayPal-PHP-SDK’,
CURLOPT_HTTPHEADER => array(),
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_SSL_VERIFYPEER => 1
);
Paypal website provides detailed tutorial to manually specify and configure SSL/TLS version.
Alright, let me know if you need any more help to enable TLS for PHP on your website or application. Thanks for reading and don’t forget to share a word about this important security update to your friends and followers across Twitter, Facebook and Google+. Have a wonderful day.
Hi Robin , this is nice article I found when I was searching for issues of SSL vulnerabilities and enabling TLS .
I have question here , Is there any dependency on PHP Curl version ( I am using CURL 7.19.7 in PHP 5.3.x ). do I need to upgrade the CURL version to use TLS.
I am not using “CURLOPT_SSLVERSION” in my php code.