[thelist] authorize.net says md5 algorithm error prone
Keith
cache at dowebs.com
Mon Jun 6 12:05:21 CDT 2005
At 08:50 PM Sunday 6/5/2005, you wrote:
The following steps are used by the merchant to evaluate the MD5 signature:
>1. Create a script to receive transaction results.
>2. Run the MD5 algorithm on the fields indicated above.
>3. Determine if the signature created matches the signature that was
>returned by the gateway.
>4. If the signatures match, the response was sent by the gateway.
I'm not familiar with Authorize.net's scheme, but I use the same MD5
concept a lot to validate transactions. There should be another piece to
this puzzle when using an MD5 authentication - both parties must be sharing
a secret. That secret is a "salt" used by MD5's crypt() to generate the
signature. Without a shared secret salt anyone watching your traffic could
generate a valid signature for an invalid transaction. If this error is
happening consistently then I'd suspect your copy of the shared secret is
wrong. If it's happening intermittently then I'd suspect that either
Authorize.net, or your validation script, is occasionally using the wrong
salt (failure to correctly read the salt). This could happen on
Authorize.net's end for a variety of reasons, mainly traffic overload that
times-out their look up of your salt in their database.
>good for business. So I don't no whether to leave it and possibly piss off
>some customers or take it off and possibly open up my site to attack.
>Either way, I'm not happy with Authorize.net and the error or their
>explanation.
My personal experience, Authorize.net has never been in the business of
making people happy. But I would not disable it, especially if you are
delivering digital goods at the time of the transaction. Alter your
validation script to write all such errors to a separate log and spit out
an email to you each time it happens. Then daily (or more frequently)
compare against your transaction history at Authorize.net. The rules work
most of the time, just setup to manage the exceptions to the rules. That's
just good business practice.
Keith
cache at dowebs.com
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.4 - Release Date: 6/6/2005
More information about the thelist
mailing list