Get answers quicker by searching

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

  • Ben March 2013
Read web version URL is uncomfortably insecure
  • Vote Up0Vote Down addactiveaddactive
    Posts: 46Sendy user

    Hi Ben,

    New user to Sendy and generally very impressed with what you've put together.

    However, I'm a bit concerned about how insecure the 'read web version' URL is - using just a couple of integer references as it does.

    Would it be possible to switch to using GUIDs for the subscriber reference instead of integers?

    Or indeed reference each message with a single GUID stored in the links table? I'm assuming that's effectively campaignsubscriber, though I haven't had a chance to dig into the code.

    Best,

    Martin

  • 1 Comment
  • Vote Up0Vote Down BenBen
    Posts: 3,447Sendy support

    Hi Martin,

    It looks like you don't have openssl_encrypt enabled on your PHP. The latest 1.1.5.1 version uses openssl_encrypt to encrypt and decrypt all IDs (hashed and salted). If you don't have openssl_encrypt enabled on your PHP, Sendy will fallback to using intval and base_convert.

    Taken from the change log of 1.1.5:

    All IDs are now encrypted with AES-256-CBC encryption method (used by the U.S. government to encrypt top secret documents) and hashed with your API key. This makes URLs of web versions, open tracking, link tracking, subscribes and unsubscribes even more secure.

    If you want better encryption, contact your host to install openssl_encrypt or upgrade your PHP to 5.3 or higher (your PHP version is currently 5.2.17).

    Thanks.

    Ben

This discussion has been closed.
All Discussions