The blog of Steve Root

  • A quick note on my first steps using stripe.com

    I’m building a web site for a charity that needs to take credit cards for tickets being sold. I’ve chosen to use stripe.com as:

    • It’s simple to implement
    • They take care of all the security and PCI DSS (I never get any card details to save, that’s a good thing).
    • It’s not expensive (compared to other options like having a merchant account for the charity).
    • I couldn’t get away with using existing services (eg: eventbrite, picatic, etc)

    Users don’t have to register on this charity site (essentially it’s selling a one off event ticket) so my process is:
    1) Vistor completes form and submits [let’s call it ‘Registration’]
    2) Server validates form (email address present, other information entered, etc)
    3) Server sends page with Stripe pay now button. That button contains the code to precomplete some of the stripe form (eg: the email address).
    4) Vistor clicks stripe button, enters card details which are sent direct to the stripe server (ie: not through my server)
    5) stripe returns a ‘token’ that can be used to charge the credit card and visitor is directed to my ‘charge’ page with their token (sent as a https post request).
    6) when my /charge page is requested, My server can request the card is charged using the single use stripe token. Then thank the customer for paying.

    I wanted to record the payment as processed against my Registration_ID, and thought I would be able to use the browser session to link the stripe request with a specific registration. It didn’t work, every test transaction came back with nothing in the session. It was as if the session was being refreshed every time a Stripe transaction occurred.
    After several hours of frustration, I tracked it down to rails built in CSRF protection.
    As the post form is coming via Stripe, it won’t read the session cookie from the browser and resets it.

    All I have to match the registration record with the stripe transaction is the visitors email address. This obviously causes problems if:

    • A visitor wants to buy more than one registration on the same email address
    • A visitor changes their email address during the stripe process (not easy for them to do, but possible).

    However, it’s the best I’ve got so I’ll have to write some backup code to prevent two registrations on one email address (they’ll have to get in touch and pay another way) and raise an error if the email address that stripe got is different from the address in our records (the charity will have to match the records manually which isn’t difficult for such a small event).

    Here’s the part in my dev log that help me find the problem, along with this blog post on kalzumeus.com.

    Started POST "/registers/charge" for 127.0.0.1 at 2014-03-14 16:12:34 +0000
    Processing by RegistersController#charge as HTML
    Parameters: {"stripeToken"=>"tok_1234sometokendata", "stripeEmail"=>"asdf@asdf", "stripeBillingName"=>"CARDNAME", "stripeBillingAddressLine1"=>"asdf", "stripeBillingAddressZip"=>"ME13 9AB", "stripeBillingAddressCity"=>"Faversham", "stripeBillingAddressState"=>"Kent", "stripeBillingAddressCountry"=>"United Kingdom"}
    WARNING: Can't verify CSRF token authenticity

  • A new form of Comment spam? – url shorteners and redirection?

    This is interesting. This blog just had a comment which, at first glance, looked normal.

    URL redirection can hide the destination, not always a good thing
    URL redirection can hide the destination, not always a good thing

    The link first runs through URL shortening service tinyurl.com.

    That in turn redirects it to adfly (http://adf.ly) which is where it becomes interesting.
    Example of an Adfly landing page
    Adfly is an advertising system. Instead of linking directly to the destination, you link with a custom link from them. Before the visitor can go to the new page, they see an advert.
    They can interact with that advert or click the big “Skip Ad” button at the top of the page.
    If people click on the advert, whoever created the link gets a commission.

    I don’t have a problem with Adfly. I’ve seen my son skip the adverts lots of times when he’s getting plugins for Minecraft. What I hadn’t seen before was this method of hiding the adfly link and as far as I know, it’s the first one posted on my blog.

    Is it a problem?
    I don’t think so, just an observation. It means I’m going to be less trusting of any url shortening from now on.

    Is it an opportunity?
    Not for me, at least not yet.
    It would not be difficult for me to write some code that redirected all my off site links via adfly, including those posted in comments. It does mean anyone visiting and following a link would have an extra step to go through and I’d rather not do that readers.

    I used to have google adverts on the blog but when I came to update WordPress I didn’t bother rewriting the templates or installing any plugins. The revenue it was generating was trivial.
    I suspect Adfly revenue from this site would also be too small to be worth the effort.

  • BitDefender v Nod32

    It’s anti virus renewal time! Not the most exciting job of the year, which is why I’ve been renewing for at least 2 years at a time.

    Bottom line: So, after all my research, reading and testing, we’re sticking with Nod32 for another 2 years.

    We’ve been Eset Nod32 customers a long time, but for this renewal a few warning signs meant extending the licence wasn’t the no brainer it has been in the past.
    1) Their web site is way out of date. Here’s a screenshot:
    why_eset
    It’s November of 2013, so why are all these certifications dated 2006 to 2010?
    2) Being pedantic when it comes to presentation of data, I read the claim of “ESET has won an unprecedented number of Virus Bulletin’s VB100 awards, more than any other security product” can also mean “We’ve been around years longer than everyone else, so we can say that whilst the new companies can’t”. It doesn’t tell me Eset are still leading the field and I’m sure they used to say they were the only provider with a 100% detection rate. They don’t say that now… maybe they’re not as good?

    The big plus in their favour: The renewal price is cheaper than the new customer price. I like that. I hate it when companies give discounts to new customers but not existing, making me need to spend time switching supplier each year.

    Despite the plus, it was time to do a little more research.

    av-comparitives

    I went through each month of reports on this site, as well as a couple of others. About 4 hours of study (yeah, I should get a life).
    Result, ESET isn’t the leader any more. It may only be behind by a couple of percent, but going through several months of av-comparatives.org tests, they are now often a little behind. My fear, of course, is that one or two new viruses they mis in a given month is the one that gets into our network and causes mayhem [at this point, I am obliged to remind you to make sure you backups work, lest this latest virus called ‘cryptolocker’ destroy your files].

    I looked at the new consistant leaders. I settled on the best alternative for our needs to be BitDefender. I wanted to try Kaspersky. Mostly because I admire their stance against a patent troll but unfortunately it’s a lot more expensive than Eset Nod32. Of course, I’ll regret that one day if we get a virus Kaspersky would have stopped, but in 6 months time it could be Kaspersky misses the virus Eset would have stopped. Hey ho!

    I registered for the trial and at first, I liked it. I went for their ‘Cloud Security’ option, which as best as I can tell, is their ‘Small Business Pack’ (ie: regular PC Antivirus) but with a web based console for reporting and installing. I installed it on a new Windows 8 PC (Our first in the office, and I like Windows 8 a lot) and I love the console. It gave me a link to download the install which was super smooth (no licence ID’s to type in). It later told me that we have 7 other PC’s that aren’t running BitDefender (it searches the Windows network for machine ID’s and matches it to the machines BitDefender is installed upon).

    Everything was great… until I got a virus. OK, not a real virus, the EICAR test virus file. It’s a small piece of text you can download to see if your virus scanner will detect it. Except. It didn’t. Or, I thought it didn’t. It immediately quarantined the file BUT DIDN’T TELL ME. So I did what any user would do, I tried again. I then decided the download function wasn’t working, so copied the text into a new text file, saved it, closed it – but it had disappeared. I then created the text file and left as .txt. Saw it on my desktop, renamed the file… and it disappeared.

    Only then did I go and check the notification panel to see all these files were quarantined. So it’s good, it did it’s job, but it’s bad, because I didn’t know that. If one of our users has the same situation trying to read a customer’s .doc attachment, how are they to know what’s happened? It’s annoying.

    So I put in a support request:

    Issue: I’m testing bitdefender for our business. I tried the EICAR test file. Bitdefender spotted the file and moved it to quarantine. However there was no warning for the user (that the file they just downloaded was quarantined). The action was reported in the web console.Is there a setting that prevented a warning for the user or is this always the case (users don’t get told)

    A few days having had no answer, I took to their product forums. The forums were pretty quiet. No one with a similar question to mine but it appears I wasn’t the only one waiting for an answer

    bitdefender_forum

    A whole 8 days later, I got an answer to my support email:

    When running in Auto Pilot Mode, the product will take automatic actions for all malware and all information will be logged in Events.

    The user will be notified via the Security widget that will display the number
    of Events.

    So, if you realise, you can open the widget and see what’s happened. It doesn’t pop up a warning. Until then, you’ll be clicking download wondering why nothing seems to be happening. Today, I also noticed a new warning “7 Days since last system scan” or similar. I don’t understand why BitDefender hasn’t just gone ahead and scanned if that is significant to the antivirus protection, I know Eset Nod32 does. Sure, a full scan can affect PC performance so make it happen when the processor is idle, or as a low priority background task.

    I’ve only put one support request into Nod32 over the years we’ve had it, but looking back it appears to have been answered on the same day (with the solution, my further thank you reply 4 days later shows).

    So, after all my research, reading and testing, we’re sticking with Nod32 for another 2 years.

Search this site

Free apps

  • birthday.sroot.eu – Your birthday or other celebration date based on [years on other planets] / [how many seconds/days] / [how far you’ve travelled around the sun]
  • stampulator.sroot.eu – Calculates the combination and how many 1st, 2nd, large 1st and large 2nd class Royal Mail stamps you need on large envelopes and packets

Recent posts

Archives

Categories