Text only | Text with Images

KonaKart Community Forum

General Category => Feature Requests => Topic started by: Steveinjava on March 18, 2008, 04:01:34 pm

Title: Password encryption
Post by: Steveinjava on March 18, 2008, 04:01:34 pm
Unless I am wrong (Quite a common event  :o) the registration form for new clients is sent using http and the password field is not encrypted. This means anyone listening in when this is posted back to the server has the ability to access konakartadmin later (Hence allowing malicious changes or new delivery addresses to be set up...).
It would seem an obvious and easy mod to use MD5 or SHA-1 to encrypt it? Java can do this easily enough.
I only became aware of this when a client asked me about it- He ideally wanted https to be used but I would not expect many site owners to want to pay for that or the extra work involved.
What does anybody else think?
Title: Re: Password encryption
Post by: julie on March 18, 2008, 04:20:30 pm
Hi Steve,

Try switching on HTTPS in the Admin App under Configuration>>HTTP / HTTPS then you should see that the registration page is HTTPS.
Title: Re: Password encryption
Post by: Steveinjava on March 18, 2008, 09:38:05 pm
Julie, thanks- but the point is I cannot justify an HTTPS page to my client and I doubt many could for 'just' the registration page.
I did try turning HTTPS on just to see the effect but it just warns the certificate is not in the right name and then despite accepting this the page does not load.
Encryption would avoid this necessity although clients do like to see the padlock symbol I realise.
Title: Re: Password encryption
Post by: julie on March 19, 2008, 06:12:14 am
We recommend to use HTTPS for whenever the customer is actually logged in, and not just for the regsitration page. However if you just want to encrypt the password of the registration page, you have all of the source code required (i.e. The JSP, Struts form and struts action).
Title: Re: Password encryption
Post by: kate on March 19, 2008, 08:12:12 am
About your comment:

QuoteUnless I am wrong (Quite a common event  ) the registration form for new clients is sent using http and the password field is not encrypted. This means anyone listening in when this is posted back to the server has the ability to access konakartadmin later


You can't create an admin user from the user registration page so this isn't possible - but regardless, if you want visitors to your shop to trust it enough to part with money, it really makes sense to use SSL.   

In addition, a custom encryption will almost certainly not be as fast as the browser implementation and will be clearly visible to the  hacker as well...  I wouldn't reinvent this wheel if I were you.

Kate
Text only | Text with Images