Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Store and use sensible data - e. g. encode and decode information

Go to solution
WolframLotz
Level 4
Level 4
‎11-18-2022 12:19 AM
‎11-18-2022 12:19 AM

Store and use sensible data - e. g. encode and decode information

Hi everyone, 

we like to request some sensible data in our forms and integrate them within our emails. The issue is that data stored in Marketo are readable for everyone. And eventhough I'd create a separate Workspace and store the data in a custom program member field this data would appear within the activity log. 

So one idea is to encode this data e. g. with base64. But to use the data in an email I'd need to decode the data via email token. Unfortunatley I found just a possibility to encode those.
https://nation.marketo.com/t5/product-blogs/base64-ing-a-string-in-velocity-without-using-reflection...

Do you know any possibility to decode data without the need to store them afterward? (like if we would use a webhock)

Or do you know a possility to configure the rights that way that specific field information can be read only from a specific user role. 

We are open for any suggestions. 🙂

0 Likes
659
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-18-2022 12:19 PM
‎11-18-2022 12:19 PM

Re: Store and use sensible data - e. g. encode and decode information

Base64 is a not a security mechanism (it’s encoding, not encryption). You can decode Base64 within Velocity as well as encode it. But if the idea is that “only” a special Velocity token could decode it, that’s a fallacy — anyone can run a Base64 decoder, even in their browser console.

 

Even if Velocity still had the ability to decrypt AES (it used to) you’d still have the secret stored in plaintext in the Velocity code.

 

Remember one of Bruce Schneier’s rules: Any data that can be decrypted without user intervention is not secure. Obviously you can achieve more security with actual encryption than with mere encoding. But if you want something to be secure in contexts A and B but magically become plaintext again in context C that’s harder to do. Consider that someone could just send themselves an alert with the magically decrypted data.

View solution in original post

0 Likes
644
Reply
1 REPLY 1
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-18-2022 12:19 PM
‎11-18-2022 12:19 PM

Re: Store and use sensible data - e. g. encode and decode information

Base64 is a not a security mechanism (it’s encoding, not encryption). You can decode Base64 within Velocity as well as encode it. But if the idea is that “only” a special Velocity token could decode it, that’s a fallacy — anyone can run a Base64 decoder, even in their browser console.

 

Even if Velocity still had the ability to decrypt AES (it used to) you’d still have the secret stored in plaintext in the Velocity code.

 

Remember one of Bruce Schneier’s rules: Any data that can be decrypted without user intervention is not secure. Obviously you can achieve more security with actual encryption than with mere encoding. But if you want something to be secure in contexts A and B but magically become plaintext again in context C that’s harder to do. Consider that someone could just send themselves an alert with the magically decrypted data.

0 Likes
645
Reply
Home