On Apr 9, 2013, at 9:15 PM, Fred Wenzel <[email protected]> wrote:
> Where does the shared secret come from (i.e., how does it get shared > between app and server)? If it ships with the app, an attacker can just > fish it out of their instance of the app and off they go. If it's sent > over the wire, you need a method to keep it secret; like HTTPS or a > Diffie-Hellman key exchange. It's a shared private secret. The app has a copy that it must keep on its server and the payment provider (Mozilla's Webpay) must also keep a copy securely on its server. All communication is signed with the secret, i.e. no secret is ever passed over the wire, only signatures derived from the secret. So http doesn't really pose a problem here because the signatures are strong (hmac/sha256). The strength can be increased at any time if we choose to without altering the protocol. > > ~F > > > On 4/9/13 4:15 PM, Kumar McMillan wrote: >> >> On Apr 9, 2013, at 5:57 PM, Matt Basta <[email protected]> wrote: >> >>> Correct me if I'm wrong, but if a third party intercepted the JWT for the >>> purchase, they couldn't falsify information in that JWT or somehow create >>> their own fraudulent JWT. >> >> Correct. This was so obvious in my own head that I forgot to mention it :) >> An attacker can't intercept an HTTP request and *alter* the outcome of a >> payment. The JWT is signed with a secret (shared) key so both parties will >> know if it was tampered with. >> >>> And as you said, user privacy at a high level isn't impacted since there's >>> no personal information in the JWT. Since that's the case (AFAIK), I'd say >>> it's safe to not require HTTPS. >>> >>> >>> >>> ----- Original Message ----- >>> From: "Kumar McMillan" <[email protected]> >>> To: [email protected] >>> Cc: "Raymond Forbes" <[email protected]> >>> Sent: Tuesday, April 9, 2013 3:29:08 PM >>> Subject: should we support non-HTTPS urls for in-app payments? >>> >>> For a developer to build an app with in-app payments she currently has to >>> >>> 1. host a web server at some domain and >>> 2. that server must accept HTTPS connections with a valid cert. She cannot >>> use a self-signed cert. >>> >>> Is it important enough for the developer ecosystem to relax this >>> restriction and allow HTTP URLs? >>> >>> If a developer self-hosts their domain it is pretty costly to get an HTTPS >>> cert and this would be a barrier to entry. Many services like Heroku, App >>> Engine, OpenShift, etc, will provide HTTPS on a shared domain though. >>> >>> >>> Why HTTPS? The restriction applies to when the Firefox Marketplace does a >>> server to server post with a JWT containing the result of a purchase. This >>> JWT is a blob of JSON that contains info about the product. It does *not* >>> contain user data unless the developer put an email or something in the >>> productData field but that would be weird. In raw form, the JWT is a base64 >>> encoded string of JSON + a signature. >>> >>> Here's detailed info about how notifications work: >>> https://developer.mozilla.org/en-US/docs/Apps/Publishing/In-app_payments#Processing_postbacks_on_the_server >>> >>> Example JWT that would be sent over the wire in plain text (after decoding >>> it): >>> >>> { >>> "iss": "marketplace.firefox.com", >>> "aud": APPLICATION_KEY, >>> "typ": "mozilla/payments/pay/postback/v1", >>> "exp": 1337370900, >>> "iat": 1337360900, >>> "request": { >>> "id": "915c07fc-87df-46e5-9513-45cb6e504e39", >>> "pricePoint": 1, >>> "name": "Magical Unicorn", >>> "description": "Adventure Game item", >>> "productData": "user_id=1234&my_session_id=XYZ", >>> "postbackURL": "https://yourapp.com/payments/postback";, >>> "chargebackURL": "https://yourapp.com/payments/chargeback"; >>> }, >>> "response": { >>> "transactionID": "webpay:84294ec6-7352-4dc7-90fd-3d3dd36377e9" >>> } >>> } >>> _______________________________________________ >>> dev-webapps mailing list >>> [email protected] >>> https://lists.mozilla.org/listinfo/dev-webapps >> >> _______________________________________________ >> dev-webapps mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-webapps >> _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
