by monitoring » Mon Sep 01, 2008 5:48 pm
Thanks for posting.
That is a good question.
If the intake of the account/password fields is done with JavaScript then
the only thing that can be done is to have the JavaScript do
the encryption...but that would mean rewriting the JavaScript.
You see what happens is that you type in stuff, and the JavaScript
echos it (plaintext for account, "o o o ..." for each keystroke of
the password), then the JavaScript shoots it up the the
server directly (probably using an SSL line so it is encrypted
in and out).
The password is in plain text only between the keyboard and
when the JavaScript types out the "o o o ...". eValid never
gets a shot at it.
Maybe you have to make sure that the eValid playbacks are done from
a secure facility.
Remember, what is on the screen is the "o o o ..."...but yes, I know,
the password is in plain text in the script....
Is this a big enough issue that they would pay for a product
modification to pre-encrypt/post-encrypt the extract from a
JavaScript supported intake field?
eValid Tech Support Team