[thelist] authorize.net says md5 algorithm error prone

Keith cache at dowebs.com
Mon Jun 6 12:05:21 CDT 2005 

At 08:50 PM Sunday 6/5/2005, you wrote:

The following steps are used by the merchant to evaluate the MD5 signature:
>1.  Create a script to receive transaction results.
>2.  Run the MD5 algorithm on the fields indicated above.
>3.  Determine if the signature created matches the signature that was 
>returned by the gateway.
>4.  If the signatures match, the response was sent by the gateway.

I'm not familiar with Authorize.net's scheme, but I use the same MD5 
concept a lot to validate transactions. There should be another piece to 
this puzzle when using an MD5 authentication - both parties must be sharing 
a secret. That secret is a "salt" used by MD5's crypt() to generate the 
signature. Without a shared secret salt anyone watching your traffic could 
generate a valid signature for an invalid transaction. If this error is 
happening consistently then I'd suspect your copy of the shared secret is 
wrong. If it's happening intermittently then I'd suspect that either 
Authorize.net, or your validation script, is occasionally using the wrong 
salt (failure to correctly read the salt). This could happen on 
Authorize.net's end for a variety of reasons, mainly traffic overload that 
times-out their look up of your salt in their database.

>good for business. So I don't no whether to leave it and possibly piss off 
>some customers or take it off and possibly open up my site to attack. 
>Either way, I'm not happy with Authorize.net and the error or their 
>explanation.

My personal experience, Authorize.net has never been in the business of 
making people happy. But I would not disable it, especially if you are 
delivering digital goods at the time of the transaction. Alter your 
validation script to write all such errors to a separate log and spit out 
an email to you each time it happens. Then daily (or more frequently) 
compare against your transaction history at Authorize.net.  The rules work 
most of the time, just setup to manage the exceptions to the rules. That's 
just good business practice.


Keith
cache at dowebs.com 


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.4 - Release Date: 6/6/2005

More information about the thelist mailing list