From: "David E Jones" <david.jo...@hotwaxmedia.com>
On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com>
Hello Marco,
Thanks for your wonderful work in this area.
I truly appreciate your efforts.
Here are few thoughts / comments :
1) We are saving password as it is.
https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
I think we should encrypt the password before saving it to database and
will not show the password as it is while fetching it from database.
Thoughts ?
+1, using what we already use (also SHA that should be salted at some point in
the future)
These are all good changes, so thanks to Jacques and especially Ashish for the
comments.
For the gateway password encryption we'll want to use the Entity Engine's built-in two-way encryption. We can't use SHA/hash
encryption because we have to be able to decrypt these passwords to send them to the payment gateway (ie they would never accept
a hashed form of the password, that is a big security hole and basically nullifies most of the benefit of the hash, which is why
by default we don't allow that in OFBiz either).
-David
Hi David,
I understand that we need a 2 ways encryption for a payment gateway.
But about SHA I'm not quite sure to understand. SHA means Secure Hash
Algorithm, so why do you add /ash after SHA ?
I know we use SHA for login password, so I'm no sure of what you mean. Do you mean that we should not use salted SHA in OFBiz at
all ?
Jacques
