Point of the key in the Transaction Status message?

fjbender / simple-php-integration

This is a very simple Payone Integration in PHP

https://www.payone.de/

Other

17 stars 5 forks source link

Point of the key in the Transaction Status message? #2

Closed judgej closed 8 years ago

judgej commented 8 years ago

What is the purpose of the key sent with the transaction status message? My first thought was that it offers some tamper protection, but it doesn't hash any items in the sent message, so it can't.

It is more like including a password with every request, which is okay so long as the status message is over a secure connection. With a man-in-the-middle attack, the transaction can be tampered with and that tampering could not be detected. So what is the point of it?

fjbender commented 8 years ago

The purpose is to somewhat make clear that the message is really from Payone, additionally to the IPv4 source address which can be easily forged.

For exactly the reason you stated we strongly recommend making the Transaction Status receiver available to Payone through a secure connection. I'll emphasize this in the documentation.

fjbender commented 8 years ago

Closed with d962ff7

judgej commented 8 years ago

Okay, thanks. The key is just an authentication check. and tamper-protection happens in the transport.

All clear :-)