Kumar McMillan wrote: > Gerv linked to StartSSL but honestly it sounded too good to be true > :) Is it really free as in free now and forever?
http://www.startssl.com/?app=1 I don't think anything is "forever." > > If payments are available for hosted apps, then that means that the > > prevention of replays would have to take place on the server, not > > in the app itself. Otherwise, the MitM that is forcing the replay > > would just remove the code that prevents the replays. > > Correct. Replays only apply to the app server and must be deflected > there. A MitM would need to be positioned between Mozilla's data > center and the app's web server. I see. Seems like we could look to AWS, PayPal, Google Checkout, etc. to see how they deal with these issues. If there is a replay, does the user lose money or does the developer lose something? If it isn't possible to take money from the user without the user's consent then I think it seems OK to not require SSL if the developer is willing to take that risk, as long as no personally-identifiable information is being sent over an insecure channel. And, if it is possible for a replay to cost the user money without the user's consent then that seems like a more general and more serious problem, as the amount of money the user spends shouldn't depend on how well the app defends against replays. Cheers, Brian _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
