Thanks for the feedback, all. To summarize what I've heard:
- SSL certs can be bought cheaply in the US/Europe - However, certs might be prohibitively expensive in some economies (like emerging markets) - SSL is *not* required to make in-app payments secure - SSL will probably make replay attacks harder if the app is susceptible to such It sounds like it's safe to remove the SSL restriction so I filed this: https://bugzilla.mozilla.org/show_bug.cgi?id=862588 This will include documentation: a big red warning urging developers to use HTTPS if possible. Also, we can document replay attacks and how app developers can protect against them. They should be protecting against replays regardless of using HTTPS or not. -Kumar On Apr 10, 2013, at 4:29 PM, Kumar McMillan <[email protected]> wrote: > > On Apr 10, 2013, at 4:20 PM, Mark Giffin <[email protected]> wrote: > >> On 4/10/13 11:04 AM, Raymond Forbes wrote: >>> I will say, SSL certs are not that expensive, at least not in my experience. >> To give a concrete example, the article Kumar posted earlier says certs are >> $50 to $150 per year. Is that what you mean by expensive Kumar? > > Yes. Compare to $120+ per year for entry level web/cloud hosting; everything > adds up. It just seems like an unnecessary barrier that would affect the > bottom line for a web enabled business. > >> >> http://www.wpcode.net/fb-ssl.html >> >> Mark >> >> >> _______________________________________________ >> dev-webapps mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-webapps > > _______________________________________________ > dev-webapps mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-webapps _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
