Skip to content

Read web version URL is uncomfortably insecure

addactiveaddactive
edited March 2013 in Suggestions

Hi Ben,

New user to Sendy and generally very impressed with what you've put together.

However, I'm a bit concerned about how insecure the 'read web version' URL is - using just a couple of integer references as it does.

Would it be possible to switch to using GUIDs for the subscriber reference instead of integers?

Or indeed reference each message with a single GUID stored in the links table? I'm assuming that's effectively campaignsubscriber, though I haven't had a chance to dig into the code.

Best,

Martin

Comments

  • BenBen

    Hi Martin,

    It looks like you don't have openssl_encrypt enabled on your PHP. The latest 1.1.5.1 version uses openssl_encrypt to encrypt and decrypt all IDs (hashed and salted). If you don't have openssl_encrypt enabled on your PHP, Sendy will fallback to using intval and base_convert.

    Taken from the change log of 1.1.5:

    All IDs are now encrypted with AES-256-CBC encryption method (used by the U.S. government to encrypt top secret documents) and hashed with your API key. This makes URLs of web versions, open tracking, link tracking, subscribes and unsubscribes even more secure.

    If you want better encryption, contact your host to install openssl_encrypt or upgrade your PHP to 5.3 or higher (your PHP version is currently 5.2.17).

    Thanks.

    Ben

This discussion has been closed.

© Sendy.co 2024