Hi everyone,
we like to request some sensible data in our forms and integrate them within our emails. The issue is that data stored in Marketo are readable for everyone. And eventhough I'd create a separate Workspace and store the data in a custom program member field this data would appear within the activity log.
So one idea is to encode this data e. g. with base64. But to use the data in an email I'd need to decode the data via email token. Unfortunatley I found just a possibility to encode those.
https://nation.marketo.com/t5/product-blogs/base64-ing-a-string-in-velocity-without-using-reflection...
Do you know any possibility to decode data without the need to store them afterward? (like if we would use a webhock)
Or do you know a possility to configure the rights that way that specific field information can be read only from a specific user role.
We are open for any suggestions. 🙂
Solved! Go to Solution.
Base64 is a not a security mechanism (it’s encoding, not encryption). You can decode Base64 within Velocity as well as encode it. But if the idea is that “only” a special Velocity token could decode it, that’s a fallacy — anyone can run a Base64 decoder, even in their browser console.
Even if Velocity still had the ability to decrypt AES (it used to) you’d still have the secret stored in plaintext in the Velocity code.
Remember one of Bruce Schneier’s rules: Any data that can be decrypted without user intervention is not secure. Obviously you can achieve more security with actual encryption than with mere encoding. But if you want something to be secure in contexts A and B but magically become plaintext again in context C that’s harder to do. Consider that someone could just send themselves an alert with the magically decrypted data.
Base64 is a not a security mechanism (it’s encoding, not encryption). You can decode Base64 within Velocity as well as encode it. But if the idea is that “only” a special Velocity token could decode it, that’s a fallacy — anyone can run a Base64 decoder, even in their browser console.
Even if Velocity still had the ability to decrypt AES (it used to) you’d still have the secret stored in plaintext in the Velocity code.
Remember one of Bruce Schneier’s rules: Any data that can be decrypted without user intervention is not secure. Obviously you can achieve more security with actual encryption than with mere encoding. But if you want something to be secure in contexts A and B but magically become plaintext again in context C that’s harder to do. Consider that someone could just send themselves an alert with the magically decrypted data.