Several weeks ago, we blogged about the important upcoming SSL and TLS security updates required to ensure your shopping cart can transact with 3rd party payment and shipping providers (e.g. Authorize.net, PayPal, UPS, FedEx, etc.). Even though our latest Storefront 8.0 is already compatible and ready for the industry wide changes, some customers are not ready to upgrade their Web site to DNN 8.0 that was a core requirement for the latest Storefront. From listening to customer feedback, we decided to release Storefront 7.6 that has the same security updates and will work with older DNN 7.2+.
Since this is a back-ported release, this Storefront 7.6 contains only the features from the previous Storefront 7.5 but will not include any new features from 8.0. You only need to make sure your server already has .NET framework 4.5 or higher installed, which comes by default if you have automatic Windows updates. You can run the following Powershell command to verify your installed .NET versions. You can download .NET 4.5 framework here if you don't have it.
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version -EA 0 | Select Version
For more information, please consult the release notes here.
What is SSL and TLS?
SSL and TLS are both protocols used by computers to secure the communication between machines. It tells the machines how to encrypt and decrypt the data when sent over the Internet. Over the years, there have been many versions of these protocols such as SSL 3, TLS 1.0, TLS 1.1 and TLS 1.2.
Who is affected?
The exploits are not limited to Revindex software. Anyone and any application that uses the HTTPS communication over the Internet are affected. This means the issue is not limited to payment providers only in your Storefront. Any shipping, payment, fulfillment, tax and any 3rd party provider that employ HTTPS for machine communication are affected by these exploits. All over the world, changes are being made.
How soon do I have to upgrade?
You should plan to upgrade as soon as possible. Aside from the obvious breaking changes enforced by 3rd party providers, you are potentially exposing important personal information to hackers. By upgrading, your site will comply with PCI rules, become more secure, run faster and you will gain new enhancements that can potentially increase your sales revenue. The deadline varies slightly for each provider. Here is a short example of known dates for these providers:
- eProcessingNetwork requires TLS 1.2 by March 31, 2016
- UPS requires TLS 1.2 by May 31, 2016
- PayPal requires TLS 1.2 by June 17, 2016
- Authorize.net requires TLS 1.2 by early 2017