On Apr 17, 2013, at 4:18 PM, Brian Smith <[email protected]> wrote:
> Kumar McMillan wrote: >> - SSL certs can be bought cheaply in the US/Europe >> - However, certs might be prohibitively expensive in some economies >> (like emerging markets) > > Doesn't StartSSL not provide free certificates in all markets? Are there any > of the initial target markets for which StartSSL does not provide free > certificates? Gerv linked to StartSSL but honestly it sounded too good to be true :) Is it really free as in free now and forever? The cost of an SSL cert is only part of its complexities. The developer still has to install the cert on a server which may not be straight forward for a novice. The main take-away from the thread so far is that SSL itself does not prevent a replay attack. An app should prevent against a replay attack regardless. If SSL is not directly solving any JWT threat then why should we *require* it? It just seems like an unnecessary road block. > >> This will include documentation: a big red warning urging developers >> to use HTTPS if possible. Also, we can document replay attacks and >> how app developers can protect against them. They should be >> protecting against replays regardless of using HTTPS or not. > > Are payments available for hosted apps, or just privileged/certified apps? payments are available to any web content at all (e.g. Firefox OS browser pages) but the notices must be verified server side. In the case of a packaged app, it must have a server hosted API it can use. > > If payments are available for hosted apps, then that means that the > prevention of replays would have to take place on the server, not in the app > itself. Otherwise, the MitM that is forcing the replay would just remove the > code that prevents the replays. Correct. Replays only apply to the app server and must be deflected there. A MitM would need to be positioned between Mozilla's data center and the app's web server. > > Cheers, > Brian _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
