On 2013-04-09, at 4:15 PM, Kumar McMillan <[email protected]> wrote: > On Apr 9, 2013, at 5:57 PM, Matt Basta <[email protected]> wrote: > >> Correct me if I'm wrong, but if a third party intercepted the JWT for the >> purchase, they couldn't falsify information in that JWT or somehow create >> their own fraudulent JWT. > > Correct. This was so obvious in my own head that I forgot to mention it :) An > attacker can't intercept an HTTP request and *alter* the outcome of a > payment. The JWT is signed with a secret (shared) key so both parties will > know if it was tampered with. > >> And as you said, user privacy at a high level isn't impacted since there's >> no personal information in the JWT. Since that's the case (AFAIK), I'd say >> it's safe to not require HTTPS.
I suppose it goes without saying we need to remind developers to verify the signature. Especially if over HTTP. If the item was for something that can be repeatedly purchased (say a new life in a game). Can I MITM it, then just keep replaying the request? I guess the developer will checking for things like transaction id or id? Can I just change that and keep replaying it?
_______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
