[thelist] authorize.net says md5 algorithm error prone
Erik Heerlein
erik at erikheerlein.com
Sat Jun 4 15:47:26 CDT 2005
For a recent customer's transaction, there was not a match from the MD5
hash that was returned from the gateway, signaling to me that the
response was in reality, somehow forged and not from authorize.net and
it appeared as if the customer was trying to falsify the response.
However, authorize.net had authorized the transaction and said things
were fine with the card and the customer is legit. I had implemented
the MD5 hash about 5 months ago, this is the first problem.
I contacted authorize.net and they said that the MD5 hash is error
prone, is optional and they recommended disabling it and not using it
as a security feature. This goes against everything I have read about
internet security and even contradicts authorize.net's own
documentation. However, this belief was confirmed by a second tech
support person at authorize.net.
Is the MD5hash worth using? Is it error prone or is authorize.net's
implementation of it that is error prone? It just seems incredulous
that to get my site to work correctly, they suggest that I make it less
secure.
[>] Erik Heerlein
Web Developer
843-762-9382
erik at erikheerlein.com
http://www.erikheerlein.com
More information about the thelist
mailing list