Thanks for the clarification David
Jacques
From: "David E Jones" <david.jo...@hotwaxmedia.com>
On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote:
From: "David E Jones" <david.jo...@hotwaxmedia.com>
On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com>
Hello Marco,
Thanks for your wonderful work in this area.
I truly appreciate your efforts.
Here are few thoughts / comments :
1) We are saving password as it is.
https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
I think we should encrypt the password before saving it to
database and
will not show the password as it is while fetching it from database.
Thoughts ?
+1, using what we already use (also SHA that should be salted at
some point in the future)
These are all good changes, so thanks to Jacques and especially
Ashish for the comments.
For the gateway password encryption we'll want to use the Entity
Engine's built-in two-way encryption. We can't use SHA/hash
encryption because we have to be able to decrypt these passwords
to send them to the payment gateway (ie they would never accept a
hashed form of the password, that is a big security hole and
basically nullifies most of the benefit of the hash, which is why
by default we don't allow that in OFBiz either).
-David
Hi David,
I understand that we need a 2 ways encryption for a payment gateway.
But about SHA I'm not quite sure to understand. SHA means Secure
Hash Algorithm, so why do you add /ash after SHA ?
I know we use SHA for login password, so I'm no sure of what you
mean. Do you mean that we should not use salted SHA in OFBiz at all ?
SHA is a hash algorithm, but there are other hash algorithms and that
is why I wrote "SHA/hash".
My main point is that a normal password hash algorithm is not relevant
here as it can't be used when 2-way encryption is needed, that's all.
-David
