I am wondering if anyone can tell me or point me in right direction
of how to add PGP encryption to my opencart 2.1 contact us page.
(well maybe for all emails sent to admin)
so messages are encrypted using my public pgp key.
I already use SSL but would also like to use PGP aswell
I assume this can be added to code in mail function?
Related
When I learn to use woocommerce api, I notice that certain access requires both consumer key and secret like below (source: https://github.com/woocommerce/woocommerce/wiki/Getting-started-with-the-REST-API).
https://local.wordpress.dev/wp-json/wc/v2/orders?consumer_key=XXXX&consumer_secret=XXXX
I feel puzzled, is it really safe to give both key and secret over the wire? For authentication purpose, shouldn't sending the key be enough and secret should stay? What is the reason behind that?
BTW, I test with a few failed logins and the URL is recorded in the log with key and secret in plain text!
So is there any way of authentication that avoids sending the secret?
I've just built a new Wordpress website and I'm trying to import my members from a previous website to the new one. The import was successful, except now all logins fail. My old website used SHA1 hash to encrypt passwords, whereas Wordpress uses MD5. Is it possible to convert all my SHA1 passwords to MD5 and keep the same passwords?
When the website goes live I want all my previous members to be able to login with the same passwords as before (seamless as possible).
You can't convert sha1 pass to md5. Moreover wordpress use a salt to create it's hash.
You have 2 solutions:
The easy one: send a mailing to all users asking them for changing their password
The hard one: change wordpress auth mecanism.
I am new to the SSO and SAML . We have to set up Single sign on the our customer site using ADFS 2.0 and we did that successfully and when we try to access ../adfs/ls/idpinitiatedsignon.aspx and it redirects to the customer site and if we enter the user name and password and it brings back to the idpinitiatedsignon.aspx page with you are signed in label. When i check the http transactions using SAML Tracer firefox plug in , i can see the <samlp:Response> is coming to our_site_name/adfs/ls/ and when i tried to access Request["SAMLResponse"] in idpinitiatedsignon.aspxpage , it shows as nothing.
how do i read the samlp:responsethat comes to my server and not
to particular page ?
I can see in the SAML Tracer that i'm getting <EncryptedAssertion>.How can i read the assertion values?
I'm answering from SAML and not from ADFS. Regarding question 2, i would expect that you would have received a block of XML called SAML Metadata that describes your customer's IDP. In that metadata, i would expect that you would receive your customer's public key (2.4.1.1 Element KeyDescriptor). I don't think it's possible to decrypt in SAML Tracer unless there is a way to install the encryption cert in the tool. My team has used the XmlSecTool, available from https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool, for verifying an XML signature pulled out of SAML tracer, but i don't know if anyone has a way to decrypt at the browser. Forgive me if you are asking more specifically at the ASDF level.
My client gave me a bunch of databases with wordpress generated passwords. Now he wants me to make a login system, but not with wordpress (I must use those wp-generated passwords). Is there a way to make use of those passwords?
Thanks!
IF you know what algorythm was used to encrypt passwords in your Wordpress database, you can easily write your own function for comparing passwords for your login system using the same HASH.
Here is some more info on WP_HASH: http://codex.wordpress.org/Function_Reference/wp_hash_password
EDIT: Very good article about Wordpress Password Hashes: http://resources.infosecinstitute.com/wordpress-password-hashes/
Client side encrption of user password->>
I have searched for an answer to my question on this site but there is nothing specific to my question and was wondering if someone could shed some ligth.
*THE QUESTION***
Would it be possible (and secure) if I was to encript a user password on the client side by using the user entered password on the login form as the passsword for the encrpted file, then send file to server side. The only way that this file can be decypted would be with an administrative password (second password) which only the server side knows meaning that not even the user is able to decypt it.
As an example - say i encrpt a password using the user entered form password in winrar. the winrar file gets sent to the server. Now for the server to decrpt and get the password it needs to use its unique server side decypting password.
Or perhaps, instead of using the user entered password to decrypt - get say Javascript to produce a once of random() password?
I'm not that advanced in web development and only have loggic to go off and hope that somone who is can give me some pointers on the flaws of this approach?
Unless you use HTTPS and SSL, this is inherently insecure, since an attacker can pre-emptively replace your Javascript with malicious Javascript that sends the user's password to an evil server, then does everything else normally.
Using one password to encrypt and a different password to decrypt is called Public-key Cryptography (PKI)
But if you do use it, then there is no need to send the encryption key to the server as a "public" key used to encrypt the data and only a "private" key can decrypt it.
Implementing PKI in Javascript would be a big project.
You might want to re-phrase your question, it is a bit confusing.
You could store your password as a one way hash (ie MD5). Then on the client side, MD5 the password input and send that to the db..
See https://docs.djangoproject.com/en/dev/topics/signing/