Dar,
I wish I knew the answers to your questions. I worked on this issue with technical people at Authorize.net (after passing through MANY hands) and at Rev to find an answer that seemed to satisfy everyone. I was given the impression the Comodo certificate, along with the transaction key, provided adequate security. Hope this is correct.
Richard
On Feb 8, 2005, at 4:30 PM, Dar Scott wrote:
On Feb 8, 2005, at 5:38 AM, Richard Miller wrote:
I can now post a simple, effective, secure solution to processing a credit card through Rev.
Thanks for the detailed how-to.
From the CardPresent documentation I get the impression that the client needs to have a certificate. Assuming I understand your example correctly, it does not. That is OK, I think; merchant authentication in CP is based on the shared secret in x_tran_key. The Revolution documentation says that the client will be able to submit a certificate only in the future, so it is good news that a method is available that does not need it.
I wonder if there is a way to improve security in this. This uses the Comodo CA root certificate. I would guess that there are many certificates signed by Comodo. An owner of a signed certificate might be able to exploit the Revolution SSL name-matching vulnerability (bugzilla 2545). Perhaps security might be improved if you could use a more specific root, perhaps one directly from authorize.net.
I noticed that CP response verification uses MD5, which Revolution can do if it is desired.
Dar
-- ********************************************** DSC (Dar Scott Consulting & Dar's Lab) http://www.swcp.com/dsc/ Programming Services and Software **********************************************
_______________________________________________ use-revolution mailing list use-revolution@lists.runrev.com http://lists.runrev.com/mailman/listinfo/use-revolution
_______________________________________________ use-revolution mailing list use-revolution@lists.runrev.com http://lists.runrev.com/mailman/listinfo/use-revolution