On Feb 8, 2005, at 5:38 AM, Richard Miller wrote:
I can now post a simple, effective, secure solution to processing a credit card through Rev.
Thanks for the detailed how-to.
From the CardPresent documentation I get the impression that the client needs to have a certificate. Assuming I understand your example correctly, it does not. That is OK, I think; merchant authentication in CP is based on the shared secret in x_tran_key. The Revolution documentation says that the client will be able to submit a certificate only in the future, so it is good news that a method is available that does not need it.
I wonder if there is a way to improve security in this. This uses the Comodo CA root certificate. I would guess that there are many certificates signed by Comodo. An owner of a signed certificate might be able to exploit the Revolution SSL name-matching vulnerability (bugzilla 2545). Perhaps security might be improved if you could use a more specific root, perhaps one directly from authorize.net.
I noticed that CP response verification uses MD5, which Revolution can do if it is desired.
Dar
--
**********************************************
DSC (Dar Scott Consulting & Dar's Lab)
http://www.swcp.com/dsc/
Programming Services and Software
**********************************************_______________________________________________ use-revolution mailing list use-revolution@lists.runrev.com http://lists.runrev.com/mailman/listinfo/use-revolution
