Solved

Classic ASP Website and POODLE

Posted on 2014-10-29
10
860 Views
Last Modified: 2014-10-29
I need some help with POODLE.

I have followed instructions on setting my server up so that it will not use SSL 3.0 by changing the registry and testing it.

My issue is that Authorize.Net says I need to make sure that my shopping cart will not be affected when processing credit card transactions.

My cart is written in classic ASP and uses Server.CreateObject ("MSXML2.ServerXMLHTTP.4.0") to send the request to Authorize.NET for credit card processing.

How do I evaluate my solution to see if it will be a problem?

Thanks!
0
Comment
Question by:GenesisTech
  • 5
  • 3
10 Comments
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40411048
I received the same email today.  They are talking about the browser and it will only affect people using older IE browsers like ie6 from my understanding.
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40411061
The copy of that email looks like it is from http://www.authorize.net/support/poodlefaqs/#whattodo 

Microsoft is saying there will be an update https://technet.microsoft.com/en-us/library/security/3009008.aspx

Are you using shared hosting or dedicated/vps?
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40411101
There is some good answers about server specifics answered http://www.experts-exchange.com/Networking/Protocols/SSL/Q_28539415.html

I have also asked some others for input.
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 

Author Comment

by:GenesisTech
ID: 40411282
I have a dedicated server.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
ID: 40411312
That link I gave you from MS outlines how to disable sslv3   https://technet.microsoft.com/en-us/library/security/3009008.aspx

Disable SSL 3.0 in Windows
For Server Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK. 
Note If this value is present, double-click the value to edit its current value.
In the Edit DWORD (32-bit) Value dialog box, type 0 .
Click OK. Restart the computer.
 
Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
 
For Client Software
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK. 
Note If this value is present, double-click the value to edit its current value.
In the Edit DWORD (32-bit) Value dialog box, type 0 .
Click OK. Restart the computer.
 
Note This workaround will disable SSL 3.0 for all client software installed on a system.

Note After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.

Open in new window

0
 

Author Comment

by:GenesisTech
ID: 40411507
Scott and others.

I have followed the link's instructions and I get that already. My understanding is that the link refers to handling INBOUND web requests and how my server will respond to them.

My concern has to do with OUTBOUND payment processing requests. Authorize.NET specifically states that you need to make sure your Shopping Cart software will not have a problem submitting and processing a transaction request to Authorize.NET. How do I determine what protocol my shopping cart uses when sending out the request and whether it will work with Authorize.NET or not?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40411516
No points for this as Scott has already answered it.
All you need do is disable SSLv3 on your server - end of, nothing else to do, carry on with your life.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 500 total points
ID: 40411562
If SSLv3 is not available on the server, it can't be used.  

I didn't have to do anything for my own server. Check this out for your own
https://www.ssllabs.com/ssltest/index.html
0
 

Author Comment

by:GenesisTech
ID: 40411640
OK. I appreciate the help.

I guess I was confused because Authorize.NET made it sound like there were 2 very distinct actions that needed to be taken.
1) To make sure your server no longer supported SSL3 for incoming requests....AND
2) To make sure your transaction processing request being sent to Authorize.NET would be in compliance as well.

If fixing the server fixes both for me, than I guess I am all set.

Thanks guys!!!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access ACCDE without Encryption 1 25
Review of OCA certificate policy 1 29
If condition on Html with Asp 11 29
Diminish Pop-up  in 3 seconds 7 52
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question