Skip to Content Skip to Menu

[#7418] Authorize.Net is phasing out the MD5 hash

  • ThePiston
  • ThePiston
  • OFFLINE
  • Posts: 334
  • Thanks: 26
  • Karma: 1
5 years 9 months ago - 5 years 8 months ago #310145 by ThePiston
Got an email from authorize.net that says they are fazing out MD5 Hash. What do we need to do?

Authorize.Net is phasing out the MD5 hash, an older method used by shopping carts, payment modules and plugins to verify that transaction responses are genuine and from Authorize.Net. We have identified that you have this feature configured and may be relying on this older method.

Please contact your web developer or solutions provider and confirm if you are using an MD5-based hash. If so, you should begin plans for moving to SHA-512 hash via Signature Key.

The MD5 Hash will phase out in two phases:

Phase 1 - Starting later this month to early February 2019, we will remove ability to configure or update MD5 Hash setting in the Merchant Interface. There are no changes to the existing API response.
Phase 2 - Stop sending the MD5 Hash data element in the API response. This change will require that applications support the SHA-512 hash via signature key. Dates for phase 2 will be announced later but is expected in the next 2-3 months.

Please refer to our support article: MD5 Hash End of Life & Signature Key Replacement for more details and information on this change.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net


CB 2.3, CBsubs 4.3, PHP 7.1, J! 3.9.X
Last edit: 5 years 8 months ago by beat. Reason: Added [#7418] tag to subject

Please Log in or Create an account to join the conversation.

  • krileon
  • krileon
  • ONLINE
  • Posts: 48541
  • Thanks: 8290
  • Karma: 1445
5 years 9 months ago #310150 by krileon
Replied by krileon on topic Authorize.Net is phasing out the MD5 hash
We've the following feature ticket to review upgrading the hashing in the Authorize.net gateway.

forge.joomlapolis.com/issues/7418


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
The following user(s) said Thank You: ThePiston

Please Log in or Create an account to join the conversation.

  • ospaorg
  • ospaorg
  • OFFLINE
  • Posts: 48
  • Thanks: 18
  • Karma: 1
5 years 8 months ago #311006 by ospaorg
Replied by ospaorg on topic Authorize.Net is phasing out the MD5 hash
Hello Kyle,
Looks like MD5 for authorize.net will be phased out by 3/28/19:

Phase 2 - Stop sending the MD5 Hash data element in the API response. To continue verifying via hash, this will require applications to support the SHA-512 hash via signature key.

Sandbox will be updated on March 7, 2019 to stop populating the MD5 Hash value, but the field will still be present but empty.
Production will be updated on March 28, 2019 to stop populating the MD5 Hash value, but the field will still be present but empty.

Please Log in or Create an account to join the conversation.

  • beat
  • beat
  • ONLINE
  • Posts: 2169
  • Thanks: 463
  • Karma: 352
5 years 8 months ago #311018 by beat
Thanks for informing us about the new very short notice date of production by authorize.net.

I have now setup a new authorize.net sandbox account in order to be able test the change, and we will be releasing a new version of CBSubs.

Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
The following user(s) said Thank You: nant, ospaorg

Please Log in or Create an account to join the conversation.

  • Proteon
  • Proteon
  • OFFLINE
  • Posts: 44
  • Thanks: 1
  • Karma: 0
5 years 8 months ago #311126 by Proteon
Replied by Proteon on topic Authorize.Net is phasing out the MD5 hash
We need to go live soon, and authorize.net is the only payment gateway we are supposed to use. Any estimate date for the authorize.net to work with CB Subs?

Please Log in or Create an account to join the conversation.

  • beat
  • beat
  • ONLINE
  • Posts: 2169
  • Thanks: 463
  • Karma: 352
5 years 8 months ago #311133 by beat
Authorize.net works today with CBSubs, and we hope to have a new tested version for their SHA hash in time for their very short-noticed phase-out of their MD5 hash.

We have initiated a SHA test-transaction with ARB on their test gateway end of last week. But their test gateway (still! 10 years after we told them it's a big annoyance) implements the 7 days minimum renewal interval, so we won't get the ARB silent post with the SHA hash before end of this week! So only thing I can say is that it won't be before mid-next week that we will have a CBSubs release that supports SHA in a tested way.

According to their very short noticed dates here support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement :

Phase 1 - As of February 11, 2019 we have removed ability to configure or update MD5 Hash setting in the Merchant Interface. Merchants who had this setting configured have already been emailed/contacted.

Phase 2 - Stop sending the MD5 Hash data element in the API response. To continue verifying via hash, this will require applications to support the SHA-512 hash via signature key.

  • Sandbox has been updated as of March 7, 2019 to stop populating the MD5 Hash value, but the field will still be present but empty.
  • Production will be updated on [strike]March 14, 2019[/strike] March 28, 2019 (updated) to stop populating the MD5 Hash value, but the field will still be present but empty.


If you have a sample SHA2 ARB silent post from your history logs/notifications logs, with the corresponding SH2 key for us to try to implement the undocumented ARB SHA2 hash, please PM it to me.

Worst case, we will provide a way to remove the MD5 hash check, which is what most carts have done!!! Which is quite sad.

Needless to say that we do not recommend Authorize.net for new projects, given their very short notice phase-out notices.

You should contact your Auth.net sales representative and protest for such short-notice business-breaking practices.

Beat - Community Builder Team Member

Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks :)
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info

Please Log in or Create an account to join the conversation.

Moderators: beatnantkrileon
Powered by Kunena Forum