A simple Rev credit card processing solution

[Richard Miller]

Dar,

I wish I knew the answers to your questions. I worked on this issue 
with technical people at Authorize.net (after passing through MANY 
hands) and at Rev to find an answer that seemed to satisfy everyone. I 
was given the impression the Comodo certificate, along with the 
transaction key, provided adequate security. Hope this is correct.

Richard


On Feb 8, 2005, at 4:30 PM, Dar Scott wrote:

>
> On Feb 8, 2005, at 5:38 AM, Richard Miller wrote:
>
>> I can now post a simple, effective, secure solution to processing a 
>> credit card through Rev.
>
> Thanks for the detailed how-to.
>
> From the CardPresent documentation I get the impression that the 
> client needs to have a certificate.  Assuming I understand your 
> example correctly, it does not.  That is OK, I think; merchant 
> authentication in CP is based on the shared secret in x_tran_key.  The 
> Revolution documentation says that the client will be able to submit a 
> certificate only in the future, so it is good news that a method is 
> available that does not need it.
>
> I wonder if there is a way to improve security in this.  This uses the 
> Comodo CA root certificate.  I would guess that there are many 
> certificates signed by Comodo.  An owner of a signed certificate might 
> be able to exploit the Revolution SSL name-matching vulnerability 
> (bugzilla 2545).  Perhaps security might be improved if you could use 
> a more specific root, perhaps one directly from authorize.net.
>
> I noticed that CP response verification uses MD5, which Revolution can 
> do if it is desired.
>
> Dar
>
> -- 
> **********************************************
>     DSC (Dar Scott Consulting & Dar's Lab)
>     http://www.swcp.com/dsc/
>     Programming Services and Software
> **********************************************
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/use-revolution
>