(1/x) Spain's largest online card processor: * XML inside XML * Signing XML as text: cannot use a real XML parser or the signature breaks
-
-
Replying to @marcan42
(2/x) * Using 3DES for no reason * To calculate the HMAC key you need data from *inside* the payload * Their XML namespace isn't a real URL
2 replies 4 retweets 6 likes -
Replying to @marcan42
(3/x) * Signing key is pre-diversified in a dumb way for no reason, reducing entropy * CBC mode with all-0 IV
1 reply 4 retweets 7 likes -
Replying to @marcan42
(4/x) * Their reference manual is useless (no mention of modes, IVs, etc): only way to interoperate is to reverse engineer their sample API.
4 replies 5 retweets 10 likes -
Replying to @marcan42
(5/x) * They have multiple callback mechanisms, but inexplicably the only usable one (positive synchronous confirmation) requires SOAP.
1 reply 1 retweet 4 likes -
Replying to @marcan42
(6/x) Seriously, this code of theirs. Go on, try to understand it. Input:<Message><Request>...</Request><Signature>...</Signature></Message>pic.twitter.com/ZPM83nGVSe
3 replies 5 retweets 10 likes -
Replying to @marcan42
(7/x) And you know, they *could* use a real XML parser for this part, but why bother.pic.twitter.com/A1ZWzea6tv
9 replies 5 retweets 17 likes -
This Tweet is unavailable.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.