Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

AIM Module - MD5 Hash Is Going Away. Is there an update?


phi148

Recommended Posts

Authorize.Net is phasing out the MD5 based transHash element in favor of the SHA-256 based transHashSHA2. The setting in the Merchant Interface which controls the MD5 Hash option will be removed by the end of January 2019, and the transHash element will stop returning values at a later date to be determined.  

Please contact and work with your web developer or solutions provider to verify if you are still utilizing MD5 based hash and if still needed to move to SHA-256 hash via Signature Key. 

 Please refer your developer or solution provider to our Transaction Hash Upgrade Guide for more details and information on this change.  

****

I received the above in an email from authorize.net.  Just curious if anyone is planning on updating the module to support this?  More info here: https://developer.authorize.net/support/hash_upgrade/?utm_campaign=19Q2 MD5 Hash EOL Merchant&utm_medium=email&utm_source=Eloqua

Link to comment
Share on other sites

@phi148 Bill, I received that same notice but I'm not sure we need to do anything.  My AIM module doesn't have anything set in the MD5 option field so I don't think it is being used.  In any case we're lucky to have an authorize.net wizard on here so I'll summon him.  @John W  John what's your take on this?

Dan

 

Link to comment
Share on other sites

I didn't receive anything from A.net on this.  A quick read on those links talks about it for SIM and DPm.  I've always left the md5 blank but I noticed it does get a return in the debug emails.  I've thought in the past that the md5 was for SIM and DPM.  We'll have to look into this more. 

I'm not really a dog.

Link to comment
Share on other sites

I always use the MD5 hash ... simply for added security.  It is optional.

However, as Wiljen and John stated above, this is not good news that AIM is now deprecated.   I was not aware of that.

We probably will survive for quite some time still... however, this will eventually bite us if we don't create a new OSC addon for the new authorize.net API :(

Edited by phi148
Link to comment
Share on other sites

Looks like everything will be handled via their API.  I got a survey request wanting to know what shopping cart software I was using.  osC was not even on the list.  Now that's not good. 😧

Dan

Link to comment
Share on other sites

13 minutes ago, WIljen said:

so if we just blank that field it will cease using the MD5 hash and continue to work?  (at least for the time being)  

 

I know it currently works without it but I don't know if it will continue to or not.   Sounds like we need a new module that works with their API.

Dan

Link to comment
Share on other sites

The CIM method has a lot of added functionality.  You can use it to save credit card data with authorize.net in a PCI safe manor, and subscription etc easily implemented.  I have built the CIM based system to save card info etc.  I will see if I have some time to put a package together, just that the extraction etc will take some work to do and not sure I have the time until after vacation and work load.  There are some class implementations if anyone wants to start it up on development:

https://github.com/stymiee/Authorize.Net-XML

cheers

Peter

 

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

6 minutes ago, John W said:

Hey Peter, CIM is listed as End of Life on the upgrade guide.

https://developer.authorize.net/api/upgrade_guide/

 

For hosted forms.   For XML it is the preferred method of implementation :)

The link I sent is for XML implementation classes

Hosted forms have not been in use for a very long time now.

cheers

Peter

 

 

Peter McGrath

-----------------------------

See my Profile (click here) for more information and to contact me for professional osCommerce support that includes SEO development, custom development and security implementation

Link to comment
Share on other sites

People might want to read this post below on the a.net support forum.   From what i remembed the md5 is only needed for SIm.  I've been searching through all the developer info and working on the forums.  It's been a long time since I poked around here.

Check this link

https://support.authorize.net/s/article/Do-I-need-to-upgrade-my-transaction-fingerprint-from-HMAC-MD5-to-HMAC-SHA512-and-how

 

I'm not really a dog.

Link to comment
Share on other sites

On my test site using my AIM module on their test server/sandbox it works with all the MD5 code commented out of the aim module.  I never had anything entered for it and all the md5 code was contingent on something being entered.  I think the md5 code was carry over from when Harald did the SIM module, but I'm guessing.

I also downloaded their SDK for the api and have played with that a little on my test site with Netbeans.  Netbeans is helpful because it parses the code and can take you right to a class or method without having to hunt for it.  Since they have about 500 files in this api, NB is really helpful.  I used their sample code to get it to work from my test site.  I think we could reuse a lot of the aim module code and convert it to use the api. 

I'm not really a dog.

Link to comment
Share on other sites

  Authorize sent this via email today. Apparently there is a bit more time to address this than might originally have been thought.

%7B3e7dfe6f-d6c5-49b4-8130-abfedb309186%7D_anet_black_logo_header_600px.jpg
Authorize.Net is phasing out the MD5 hash, an older method used by shopping carts, payment modules and plugins to verify that transaction responses are genuine and from Authorize.Net. We have identified that you have this feature configured and may be relying on this older method. 
 
Please contact your web developer or solutions provider and confirm if you are using an MD5-based hash.  If so, you should begin plans for moving to SHA-512 hash via Signature Key.
 
The MD5 Hash will phase out in two phases:
 
Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.
Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key.  Dates for phase 2 will be announced later but is expected in the next 2-3 months.
 
Please refer to our support article: MD5 Hash End of Life & Signature Key Replacement for more details and information on this change.  
 
Thank you for your attention to this matter and for being an Authorize.Net merchant.  
 
Sincerely, 
Authorize.Net 
 
Link to comment
Share on other sites

I think all we have to do is remove the MD5 code.  Aim never needed this in the first place.  Of course, someone could contact A.net to verify. On my test account, I have removed the code and it works fine.  I never used MD5.

I'm not really a dog.

Link to comment
Share on other sites

You can get the current cert at this link.

https://github.com/AuthorizeNet/sdk-php/blob/master/lib/ssl/cert.pem

I think all we have to do is remove the MD5 code.  Aim never needed this in the first place.  Of course, someone could contact A.net to verify. On my test account, I have removed the code and it works fine.  I never used MD5.

I'm not really a dog.

Link to comment
Share on other sites

You can go search through the A.net info, but here's a piece of their info on md5.

" Note that the MD5 Hash option exists for transaction responses sent by means of the Advanced Integration Method (AIM) or the Card Present (CP) implementation methods. However, these methods use Secure Sockets Layer (SSL) to ensure that the transaction response is legitimate, and so it is not as useful for AIM or CP merchants. "

That comes from this link, but you can find several on their developer site.

https://support.authorize.net/s/article/What-is-the-MD5-Hash-Security-feature-and-how-does-it-work

I'm not really a dog.

Link to comment
Share on other sites

Hi John,

Yes, SSL does provide security - but only between the client and the server.  It does not ensure the data itself traversing the SSL is accurate.  Hashing, encryption, etc.. protects the data itself from breaches and verifies the validity of said data.

Is it overkill? Probably... and again personal preference.  In my opinion, if the option to further validate my data is there, I'll take it.

Notice they say "not as useful for AIM or CP merchants".  If it was completely "not useful" then I imagine it would of been abandoned entirely.

 

 

Link to comment
Share on other sites

I have a question about AIM. When you make a transaction test, Do you see in the Authorinet the test transaction. I think it accepts only the live transaction ?

Could you confirm me ?

Thank


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

When I use the test server, I use it in live mode.  It acts like the normal secure2 server, but in the sandbox.  I get a confirmation email and daily report just like secure sever. 

Someone said they had a problem with ssl also.  The secure sever is supposed be https://secure2.authorize.net/gateway/transact.dll  It has a 2 after secure and there are 3 instances.  A.net switched to the Akamai routing network a few years ago and the link was changed.  I don't know if they will keep the old active as they bounced back and forth on that. 

I'm not really a dog.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...