• Welcome to KonaKart Community Forum. Please login or sign up.
 

Password encryption

Started by Steveinjava, March 18, 2008, 04:01:34 pm

Previous topic - Next topic

Steveinjava

Unless I am wrong (Quite a common event  :o) the registration form for new clients is sent using http and the password field is not encrypted. This means anyone listening in when this is posted back to the server has the ability to access konakartadmin later (Hence allowing malicious changes or new delivery addresses to be set up...).
It would seem an obvious and easy mod to use MD5 or SHA-1 to encrypt it? Java can do this easily enough.
I only became aware of this when a client asked me about it- He ideally wanted https to be used but I would not expect many site owners to want to pay for that or the extra work involved.
What does anybody else think?

julie

Hi Steve,

Try switching on HTTPS in the Admin App under Configuration>>HTTP / HTTPS then you should see that the registration page is HTTPS.

Steveinjava

Julie, thanks- but the point is I cannot justify an HTTPS page to my client and I doubt many could for 'just' the registration page.
I did try turning HTTPS on just to see the effect but it just warns the certificate is not in the right name and then despite accepting this the page does not load.
Encryption would avoid this necessity although clients do like to see the padlock symbol I realise.

julie

We recommend to use HTTPS for whenever the customer is actually logged in, and not just for the regsitration page. However if you just want to encrypt the password of the registration page, you have all of the source code required (i.e. The JSP, Struts form and struts action).

kate

About your comment:

QuoteUnless I am wrong (Quite a common event  ) the registration form for new clients is sent using http and the password field is not encrypted. This means anyone listening in when this is posted back to the server has the ability to access konakartadmin later


You can't create an admin user from the user registration page so this isn't possible - but regardless, if you want visitors to your shop to trust it enough to part with money, it really makes sense to use SSL.   

In addition, a custom encryption will almost certainly not be as fast as the browser implementation and will be clearly visible to the  hacker as well...  I wouldn't reinvent this wheel if I were you.

Kate