POODLE Security Advisory
In response to a critical security vulnerability, BluePay will be removing support for older browsers, notably Windows XP’s Internet Explorer 6 (IE6); details are provided below. If you are using a patched version of Internet Explorer 7 or above, modern versions of Chrome, Firefox, or Opera, BluePay will continue to operate normally.
On October 14th, 2014 the “Padding Oracle On Downgraded Legacy Encryption” or POODLE vulnerability was released. This vulnerability is a flaw in the SSL 3.0 (v3) protocol and affects every implementation of SSL v3. POODLE when exploited, allows an attacker to steal information over time by altering communications between the SSL client and the server (also known as a “Man In The Middle” attack, or “MITM”), or to decrypt part of the confidential message. Although this vulnerability is relatively difficult to exploit, all entities, including BluePay, that use SSL v3 encryption need to take action to protect the confidentiality of data.
To mitigate this vulnerability, BluePay will be modifying all external websites so that they no longer accept connections via browsers that rely on SSL v3. After this change has been implemented, end-users will have to connect via a browser that supports TLS 1.0 or better. For the most part, this will affect Windows XP and Server 2003 users who use the version of the Internet Explorer browser bundled with the OS (Internet Explorer version 6, IE6, or earlier). Some users of Internet Explorer version 7 (IE7) may be affected as well, if they have not patched to enable TSL v1.0 support.
BluePay will remove SSL v3 functionality in stages.
On Wednesday November 12th at 10:00 AM CST, BluePay will implement a redirect page for all customers connecting to our payment gateway via SSL v3. These customers will be notified that they will no longer be able to connect to BluePay after SSL v3 is disabled and are encouraged to upgrade or change their browser or OS.
On Wednesday November 19th at 10:00 AM CST, BluePay will no longer support SSL v3. All customers attempting to connect to our systems via SSL v3 will no longer be able to connect to BluePay.
Affected Windows XP end-users are encouraged to upgrade their computer’s operating system to Windows 7 or better. Affected IE7 end-users should patch the application to support TLS 1.0 or better. Alternatively, end-users may choose to install an alternative browser such as Firefox, Chrome, or Opera.
Linux and Apple OS (Mac) users should already have TLS 1.0 capable browsers installed on their systems. However, if Linux and Mac users experience difficulties connecting to BluePay after SSL v3 has been disabled, it is recommended that they patch their operating system or install a current version of Firefox, Chrome, or Opera browsers.
Thank you for your business,
The BluePay Team
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you have any questions or concerns
please contact Merchant Services:
(866) 739-8324