Sign in / up

back to article Sage Pay anti-POODLE upgrade REDUCED security - briefly

Online payment service Sage Pay has been fingered for temporarily reducing its security while revamping its site security. Security consultant Paul Moore noticed that the Sage Pay website was briefly running a weak cipher last week. The issue was quickly corrected after Moore went public with his concerns on Tuesday. He …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Hmm, having worked with sage/pay

    seems they were stuck between a rock and a hard place as updating sage systems can be a right PITA.

    Seems they did the right thing to me as it was unlikely the exploit would have been exploited in the time taken to rectify this.

    Personally, good call on Sage to maintain their customers ability to use said service...

    0 0 Reply
    1. RamblingRant
      Reply Icon

      Re: Hmm, having worked with sage/pay

      Can I just reiterate, POODLE isn't the issue here... it's the 56bit export cipher which PCI DSS explicitly prohibits.

      There is absolutely no justification for running it while claiming to be PCI compliant.

      1 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Hmm, having worked with sage/pay

        Agreed but as stated in the original article, the chances of it being exploited were infinitesimally small whilst patching the older systems. I'm not advocating what they did, merely that it was an exercise in damage limitation.

        0 1 Reply
  2. Anonymous Coward
    Anonymous Coward

    "as updating sage systems can be a right PITA."

    THAT is the flaw in the "it's ok, the chances of it being exploited were infinitesimally small" argument.

    If you're going to undertake to be compliant, there has to be a mechanism in place for making it easy to remain compliant 100% of the time. It is the nature of systems today that updates happen. If your systems are a PITA to change, that's where the effort needs to go, because you know what? The next time a similar thing happens, they will think they can get away with it again. Next time might be for a longer time of non-compliance, and it may well be that they get caught out. Cue big media coverage of "this happened before, why did it happen again?"

    2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    You can go against the PCI rules as long as you have a cast iron reason for it - which is up to the auditor as to whether it's acceptable...

    0 0 Reply
  4. PaulW2020

    SagePay not patched for Poodle

    SagePay assure me that their test server is patched for Poodle and soon their live one will be too.

    But testing the domain:

    https://test.sagepay.com

    At https://www.ssllabs.com/ssltest/

    Shows its still unpatched for Poodle. I tried a few other Poodle test sites and same issue.

    Does this mean the SSL Labs test ( and all the other sites ) are wrong?

    Or is their payment domain https://test.sagepay.com/gateway/service/vspserver-register.vsp and https://live.sagepay.com/gateway/service/vspserver-register.vsp

    Not actually patched?

    Can anyone shed light on this?

    0 0 Reply
  5. Asterix the Gaul

    Reading the article gave me a sense of time moving on,lol.

    I was trained to Final Accounts in the Kalamazoo 3 in 1 Book-keeping system back in the early 1980's.

    The accounting machines were state of the art for the time & must have cost £K's.

    Reading the article,is it really a 'problem' when it boils down to the amount of 'downtime' involved,surely it's only a question of a quick 'reboot'?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like